 Welcome back to Cyber Underground. I'm Dave Stevens. Once again I teach for the University of Hawaii at the Kapiolani Community College campus. I teach in network security and ethical hacking. I also am the managing director of Kapu Technologies, a cybersecurity company right here in the Hawaiian Islands. And today with me I have two special guests. Don't laugh at me. You guys, that was pretty good. It was pretty good. Andrew Lanny and Gordon Bruce. How are you doing, guys? Thanks, brother. Andrew, I teach technologies right here in Hawaii. You're physical and electronic security. We do. And you're the DeFars Master. You're going to tell us all about you. You think? I'm the DeFars trainee. There are so many things that you've done for this state and thanks for being around. My pleasure. GGBN associates right now waiting to retire sometime in your 90s. He's not retired. He's never retiring. He just thinks he's retiring. I keep trying. His customers won't let him go. Yeah, with billable hours, how can you do it? It's hard to say no. Keep raising your rates and they just keep paying. Makes the governor happy. I mean, every time I cut that GE tax every, I do it one yesterday. Every time I send it in. Are you paying quarterly now? You're making way too much money. We're talking about federal acquisition regulation. Yeah. DeFars, the Defense Federal Acquisition Regulation is it system or security? What's that S for? DeFars? I don't think we know. Regulations. Regulations. It's the S. It's system. Yeah, yeah. So the DeFars comes on all your DoD contracts now. Or the Defense Industrial Base, or DID. Yeah. Pull the far up first. We have one slip. We got to keep our slides in order. Well, let's pull them up. I'll get confused. Let's pull up the slides. The acquisition regulation. This one is the bigger one. And we talked about just those baseline requirements in the FAR that everybody has regardless of DeFars. Now this has been around since 2014. Oh, the FAR forever. Yeah. We were supposed to do 2015. The NIST 800-171 was added, but it was self-attested. People weren't doing that. And the DeFars. And the DeFars. Yeah. The FAR is anybody, anybody gets federal money, has FAR stuff that they need to pay attention to. Yeah. You guys jump so far ahead that the viewer doesn't even know what the heck they're talking about. There's a FAR. There's a DeFars. Far, far away. There is a FAR. There's a FAR. So the FAR. In the DeFars. Can I do a time off for just a second? Sure. Anyone that is doing DOD work, some contrary or whatever, needs to comply with FAR and DeFars, right? Yes. So that's what we're here to talk about. So if you are a contractor that is doing work for the federal government, these are DOD. These are the requirements, the regulations that you have to follow that they were going to get even tougher with starting next year. Why does it make so much sense when he says it? Why is it relevant to the state of Hawaii? Well, why is it relevant to us? Okay. How many contractors do you think we have in Hawaii that are servicing the military? Well, with 11 bases in the state, 10,000. And so I'm throwing questions around just to get everybody interested. If I have a cleaning crew that's cleaning an office building in the in the federal space at DOD, does that cleaning crew have to be DeFars compliant? And we're not talking about technology or writing code or anything like that. What about the landscaper? They have to be compliant. But when we we're talking about a specific parts of the DeFars clause, there's other stuff in the DeFars. There's other stuff. So I'm just trying to clarify this. So I just want to clarify, there's a lot of things that are going to get tougher next year. Sure. And we're going to cover the technical side of it. Information security system stuff. This is the funny part. I don't consider this tougher. I consider this actually enforcing the toughness that's been there for years. It's best practice. It's going to get real. Well, it's going to get real. Best practices was in the far. That was safeguarding. Now nobody did that anyway. So now they said, oh, we're going to do it. We're going to make it tougher, but easier depends on who you talk to. Driving cars in the early 20th century, we had cars, we had roads, and then we started having signs and lights and people had to take a test to get a driver's license at a minimum age. Then you had to take training before you got your license. So it's a maturing process. I feel like I'm constantly taking tests. That's life. It is a maturity process. It is a maturity process. And there's a reason why it's regulated. Now it's called the cyber security maturity model, which is brand new to all of us, but now it's going to be enforced. That's what we're going to talk about. Let's put up another slide here. We'll try and keep it simple. Looking at, okay, so what we're looking at here is in DeFars, one of the numbers you can see on a contract, usually page 12, you're saying, or somewhere around there. It's DeFars. There's a long number. At the end of it says 7012. 7012 says you need to comply with a National Institute of Standard and Technology, or NIST, 800-171, which is a document that breaks down a list of security controls that you need to apply to your company to keep yourself safe in the cybersecurity realm. And it's broken down by these 14 families right here. And each family has a number of controls underneath it of how you apply these controls to cover this area. So access control will have about 26 or so controls. You apply those controls like multi-factor authentication, and you can check a box and say, yes, I can fly. So out of these is 110 physical controls, but they can get rather detailed. And it's hard to comply with all of these. 110 apply to all of these 14 family members. They're somewhere in these families. They try to make it simple by saying there's only 14 families and only 110 controls. But the controls in and of themselves have multiple pieces to them. Yes. Let's move on. Let's see another slide and see if we talk about this. Now, here's where it gets real. In that 110 controls, not all of them are stuff that you have to do. They're shared with vendors. Well, let's back up. Okay. So in the DeFars Claw, the 7012 which you ref, if you're using a cloud service provider or some of your services, IT services, there's a reference for the CSP cloud service provider responsibility. Right. They have to be fed. And that's, I forget that number, but it's in, it's ref in the 7012 document. And then you go read, of course, the CSP requirement. The CSP is what? And the cloud service provider. Okay, thanks. So the cloud service provider. They're trying to keep English here. And when we do these talks in these rooms, we ask how many people use, you know, Office 365 and buying large. I mean 99% of the hands come up. So there's your cloud service provider that's handling probably your email, perhaps your file storage. I don't know what else they may be doing for you. But when you do that, that's where these clause, this GNC clause for DeFars compliance comes from, is out of that cloud service provider responsibility. Now, those are the shared controls. If we go ahead and slide back, it's a good one to talk about. It's a really good one to talk about. The GNC. The GNC, because here's the thing to point out. If you're, if you are a contractor doing work for the DOD right now, and you are not Office 365 GCC high, you are already not compliant. Well, if, if you're handling CDI, and this is an assumption, if you're handling, if you're handling CDI or controlled unclassified information, CUI, confidential information, you have to be Office 365 GCC high. Yes. I have no choice. I do, I only know of a couple of clients on this island that are doing that better at this level of Office 365. So, if they're saying, well, I'm running Office 365 E2, E1, E5, Home Edition, you are not compliant, and you need to, you need to be looking at moving to this now. Well, let's, let's back up again. Well, Office 365 without GCC, which is Government Community Cloud. Right. That is the, the regular service you can get, like E5, the Enterprise Level 5. Commercial. It is compatible with 800 171. You can be in this new cyber security module, maturity model. You can be level 3, but you can't go beyond that because you can't comply with DFARC and G, which somewhere in there, it actually says, if there's a cyber incident and you report it to us, the DOD, we have the option to come and take your physical hard drives to forensically examine those. Correct. Regular Office 365, you cannot do that because you're in a shared environment. You're not. Virtualized across the same machine. You could be sharing the same hard drive with multiple people. So, you have to move into GCC High where you have a dedicated virtualized environment. Right. So, your, those hard drives are dedicated to just you. And if you're, yeah, and if you're doing CDI or CUI, whatever, you have to be in that space. You have to be in that space. You cannot, you cannot coast into GCC. Now, here's the part. Oh, there's no coasting. There's no coasting. And here's the, here's the part. It's the fact that you have to be a FedRAMP compliant hosting facility. You know, you have to find that. And you have to find the people that sell these licenses because you can't go to the Microsoft website and say, I need a hundred licenses of Office 365 GCC High. There's only five vendors in the US. There's only five vendors in the US that you can buy that from. That's, that's the only place. So, get in line because, because those five vendors are getting. Yeah, it does take a while to build the environment out for you as well. And then you have to move like all of your mail over to it. You've got to migrate all of your mail over to that new one and all the data and everything that goes there. So it's, it's, it's phase one and you should be looking at it now. Yeah, it wasn't an important point you made. The C, the D-Far C is actually the one that says, if there is a breach, you've got to notify the government within 72 hours. So you don't get that if you're not in GCC High from Microsoft or from your provider, they don't have that capacity to alert you. So therefore you'd be in violation when you come to the government. Six months later, go, by the way, we had a breach six months ago. They may like, boom. Boom, you're done. And then the G is the one for the, if they decide to investigate where you've got to turn over the material. They've got to comply with a lot more regulations than the regular. There's a good thing on this slide though that, so as of, as of January, they, they waived that minimum 500 licenses. Correct. That would put a lot of small businesses out of business. Correct. Because these are a little pricier type of licenses than the regular license. And you're going to pay, you're going to pay for an office let's say of a hundred. You're going to, your annual fee is going to be somewhere between 75 at $80,000 a year. And you're going to mix up serious money. Yeah, so the good news is you can also pass that, that cost on to the government. The government. Yeah, but we, they haven't spelled out all the hoops you're going to have to jump through in order for you to justify reimbursement. So the, the other part I think it's so important is, you know, you are compliant, but you still have to have proper licensing. You got to do system design. Yeah. And you got to configure all those shared controls. It's not just like, oh, they got me covered. There may be stuff on your end that you have to do. Yeah. And then the policy controls also have to be written. Your domain controllers are going to get modified. Oh yeah. When you move to GCC high, it automatically modifies your, some of your domain controllers, your active directory gets modified. There's a lot of things that happen that prohibit you from doing things that you could do in the past. IE install software on my laptop. No way anymore. It has to be an admin, a system admin. They're the only ones that can do it. So imagine if you got. Which it ought to be anyway. Anyway, I'm just hoping. Should be anyway. But how many, how many clients or organizations have I gone into? What they've got? Everyone's an admin. Yeah, they've got, you know, the subject matter expert who's an admin in that particular office who's installing software that don't work anymore. You can't do that. It's not going to happen. So, so you've got to look at ways to do this. So this is, this is a barrier to entry for many small companies. This is an important obstacle that you're going to have to overcome. However, the good news I think is if you have a contract that requires this and you have multiple renewal years, what I've been understanding in some of these webinars we've been looking at is you will most likely be able to institute a change order. Once you've invested this money to come up to compliance, that change order will reimburse you for the cost of coming up to that level of compliance. The level of compliance, we'll talk about in a minute, the CMMC level. If you're going for level three, if you come up to level three and you have to go into the GCC environment, it costs you 150 grand. That's a change order. You can put that in. You will probably get that money back. But it's going to take a while. So, but you would have to show a percentage of work out of your office is going against that contract. It's the delta. So that's, it's kind of like if I'm an E5 and I go to GCC high, are they going to give me the whole amount? Or are they going to give me the delta between E and the difference? The difference. Okay. And in some cases it's the delta worth all the aggravation all the work that you're going to have to go through to get that. Pretty sure it is. So you can always, you can also go by your percentage of volume. So let's just say you do $10 million a year and you get a one-meter contract, 10% of your cost would therefore easily be justified to have gone to that customer. Now, do I have to start tracking this in my financials? Every time I purchase something or acquire something, do I have to say, ask just to say, I only did that because of having to be compliant? Well, I think that the GCC high licensing cost, the CPU and the storage, yes, I think for sure. I mean, you're not going to be able to say, oh, I had to have a laptop because they know you need a computer. You need it for it, no matter what. I mean, well. No, but to be a FedRap compliant cost, to go to FedRap costs me more money than standing it on Microsoft's regular shared service. Exactly. And now you're going to get that difference in that cost, not the entire cost of being GCC. But I would take forward the advice going forward. Asterisk next to everything. Asterisk and just say yes, yes, yes. Well, and again, it's not appreciating your car. It's also not a requirement yet because it's not audited. It's not in the contract, so like, so in September of 2020, when it says you must be level three to bid on this contract, now you got full justification. Okay, let's talk about that right after the break. We're going to go away for a couple of minutes. We'll come right back until then. Stay safe. Hello, everybody. My name is Walter Kawaii. I'm your host for a monthly live streaming video entitled Ukulele Songs of Hawaii, where I bring on guests. We enjoy talking story about the music industry here in Hawaii, sometimes going back 50 decades if possible. And always having some good fun talking with entertainers. We're here located at Think Tech Hawaii downtown Honolulu at the Pioneer Plaza building. And in their studios. And so join me next month for Ukulele Songs of Hawaii. Aloha. My name is Wendy Lo, and I want you to join me as we take our health back. On my show, all we do is talk about things in everyday life in Hawaii or abroad. I have guests on board that would just talk about different aspects of health in every way, whether it's medical health, nutritional health, diabetic health. You name it, we'll talk about it. Even financial health. We'll even have some of the Miss Hawaii's on board. And all the different topics that I feel will make your health and your lifestyle a lot better. So come join me. I welcome you to take your health back. Mahalo. Welcome back to Cyber Underground. I hope you missed us and you stayed safe. We're here with Andrew and Gordo. The techs are and from IST on physical electronic security, Andrew Lanning. So where were we? We're talking about the cost and how to recoup the cost. When this is going to be actually required. So from the webinars we've been watching, there's going to be a third party. So it's required right now. Just let's make that clear. It's required, but you self-attest. And someone's already caught self-attesting and lying. And they were fined three quarters of a million dollars. That's a surprise. Somebody actually got caught. Whistleblower, whistleblower. Yeah. Nobody actually went and audited that company. They had to be whistleblower. It was a whistleblower. So in September, they're going to come out with a new document, which is the H-100-171 version B, which raises the stakes. And we can look at a slide here. We're going to see the slide here. Let's put up the slide. Okay, let's speak to the slide first. This is Andrew's slide. Yeah, this is good. This tells you we've got about 150 cloud service providers operating in the FedRAMP environment. It tells you how much money is flowing through there. About a third of the world's internet traffic is flowing through FedRAMP. So the important thing is what we've got is a good long track record of good security and good practice compared with the other environments which are not as secure. So I like people to understand something about why the government's pushing us here. This didn't just, somebody didn't just dream this up last week. This has been going on for years and years and years. And since self-attestation didn't work, like this, you know how they said, make sure you strap your seatbelt on when they passed seatbelt laws. Nobody did that either. So they had to start giving you a ticket. So that's why we're going to start auditing to make sure you get there because the government needs its information security. So we're going to talk about how we're going to audit. Let's roll to the next slide. So here's the new cybersecurity maturity model certification levels. So you'd see this on your contract as a requirement when you're doing a request for information, RFP, RFI. You're going to send in something in response to a contract that says you need to be CMMC level three. What does that mean? So currently the 800-171 revision one, that's the NIST document. If you comply with all the 110 controls out there right now, you can come up to CMMC level three. The new document 800-171B is coming out in September. Supposedly, we hope. And it will contain another few controls to get levels four and five. So guys, let's talk about these levels and how we're going to get certified. These levels, I don't think anyone has to get afraid or have a lot of anxiety because CMMC level one is a good basic cyber hygiene posture for a small business. You might not be able to make it work. Probably the basic safeguarding controls are covered. You might see that on your contract. Level two and three is going to be bigger contracts. More CUI floating around or you're a downstream vendor for a bigger prime. But I'll rest my case on the fact that CMMC level one, that a significant number of companies here in the state of Hawaii that don't do government work are not CMMC. Even the ones that do level one are not at that level. And they should be because that's basic. And so, but I can guarantee you that I could walk into some client say, let's walk through the 110. I'll do an evaluation right now. Give me four hours. We'll do a self-evaluation and we'll see where you're at on that. We'll just go down the list of 110. Think about four hours and I'll give you a graphing to show you where you sit. And then you can have anxiety. This shouldn't really cause you anxiety, right? Just admit it if you look at the control set and start complying now. Because it doesn't just apply to prime. It's everybody that's under the prime. It's a downstream effect. If you're anywhere near these vendors, if you're doing any business with the big, if Lockheed Martin's got a contract and you give them washers and nuts and bolts, you're one of the vendors. You're a sub and you're there. And if you have subs, you got to make sure. You got to make sure. If you're a sub of the prime and you have subs underneath you, you have to assure that your subs are compliant. That's right. And this is going to become required as of January. You're going to, okay, so here's the process. The DOD will hire or get a third party vendor to do kind of a train the trainer thing with CMMC providers. So it'll be a non-profit. Companies that do the certification will be trained by this non-profit organization. That's going to happen sometime around between September and January. January is when they want to kick off this training and people can sign up to be one of these CMMC certifiers. Which I understand. I want to be one of those technologies. I might be too. So maybe you and I'll partner. You're wonderful. Yes. Let's do that. I don't even know how to sign up yet. They don't have that information. Me either. I'm looking. I don't have either. That's no application. It's no application. As of January, that's the sort of the training people to do this certification. It's not going to become required to do an RFI or RFP until about September of next year. Well, rewind. No, RFI, according to the documentation, the class I took on Monday, RFIs are June of next year. It's June of next year. So June of next year, if you want to respond to an RFI, you have to be audited by then. That's going to be tough. That's going to be really tough. But that date did not change as of the update Monday. And then if RFPs are September. So, but the date did not change as of Monday of this week. Yeah, remember the contracting officers have full authority to waive that. So, you know, we all sitting here know there's going to be a backlog, right? There's 300,000 DIB companies to be certified. DIB? That's industrial based. Okay. I'm just making sure we're speaking. So, in that supply chain, the scrutiny has come down on the supply chain. Most of those big primes we talked about, Lockheed, Raytheon, VAE, these guys are handling secret, top secret material already. They are already handling the full NIST 850-3 stack. 1700 control. But their supply chain is what's brought this scrutiny to bear on the supply chains leaking a lot of information. Hold it back up for a second. This is a security standard, right? Yes. Lockheed Martin is your actual target. Let's pretend that's the castle with the king inside. You're not going to storm the front gate. You're going to wait till the cook comes out the back gate to throw out the trash and you're going to go in there. That's your vendor. So, you go after a vendor and the vendor is your easy pivot point into your castle. And a good example that people have already experienced is these movies that got leaked before they were released. And it wasn't because it got to Disney or Pixar or whatever. It was some little two-person shop somewhere that was doing the final little bit of edits on... CGI, sound. They posted a sound, little thing tweaking a little few things. They went there and they got them there. That's where they pulled it out of. And this is what's the whole point on this is that they're not going to go after the big guy. They're going to look for the little small guy down the food chain. Yeah. Yeah. And the unfortunate thing is that the large volume of small businesses here in the state and I think across the country... 27,000 small businesses in the world. There are a great number of them that are two, three, four, even one person. So if you do this, just 800-171 with very few people, that's going to be a challenge. Yeah. And the separation of duties, first of all, I mean, how do you separate? Yeah, yeah, yeah, we do. Yeah, the separation of duties, separating of networks, separating of infrastructure, separating of firewalls. I mean... We have these different accounts, right? Yeah. So you have to have an admin account, then you have to have your user account, blah, blah, blah, blah. Right. There's privileged access and unprivileged access. And that's tough for a small company. Yeah, yeah. That's a lot of extra work. Just think of you're a parent company and then you've got all these subs. And of which one of these subs is doing div work, right? Yep, something that's... Then this little sub, either you've got to bring this entire organization up, or this little sub's going to have to spin off to be compliant. I think one of the other tactics is to make them let them have a client on your environment. Right. So that way you can put your controls down on them. If it's just one or two people that you're quite confident can't handle this material, that means you have to have a desk at your office, whatever it may be. It depends on what level of control your policies take. But you've got to look at those 110 items in there. You've got to look at this. You cannot share routers and switches. Oh, no. With none compliant. So if I'm a little sub company of this major company and I'm sharing all the router switches and firewalls, that's got to get spun off. Yeah, you need to stand up your own. You need to stand up your own. Your static connection. So Citibank had this problem. And how they handled it was, they virtualized the desktop on a central location. So you would log in via a VPN, and they would transmit the desktop to your personal computer. I like an instance. And you're locked in that virtual environment. You're in that environment. Period. You can't even use your home printer. So that's how they handle that. So when that vendor comes in, they might not be compliant. But when they work for you, they're actually seeing information in your environment. You're just transmitting the graphics to them. Yeah, and I like that virtual instance idea too. I mean, that's kind of going back to the old mainframe topology. I like the full circle way. Everything sort of runs out of cladding. We got away from mainframes, now we're going right back to mainframe. Yeah, you just get a virtualized instance. And I started my career on it, and I'm going through my clients, okay, maybe you ought to buy a Z. That's a mainframe. Yeah, but a mainframe sells for $100,000 now, not like a million dollars like it did way back. And you can run Linux on it, which is part of the other dilemma. You could just run it in the cloud. I mean, you can fit the environment you're talking about. You can run it right out of the cloud. I'm finding it's better to run it in the cloud. There's no Fed, Rep, and Hoi. No, there's no provider. Not physically, no. But you're using Summit 7. So Summit 7 can move you into the GCC environment. But depending on your application, though, depending on your application, latency can be an issue. You must also mention that you can't just go to Microsoft or Summit 7 and say, hey, give me this. No. You got to walk in with a contract that says it's required for you. Yeah, you got to show them the cause. And then wait four months. They only took me a day. Thank you a day? A day, one day. One day. They don't know who emailed them. They told us, they told us, they're telling me it can be upwards of four months, but we're usually doing it within one. Yeah, it was one day for us. I can send you. Sounds like Scotty on the internet. I'll send you later. I'll send you later. It's got to take eight hours, and we'll do it in one. Yeah, let's see this. We'll get bombarded. Yeah, yeah. Yeah, I'll call her. So, could these, I've seen them, too. Minor all stood up. What's the first step? Four. Oh, get out of, get out of DOD contracts. So, Norfolk. So obviously, I think the first step is an assessment, right? I mean, you need to do some sort of a risk assessment on your environment. Yes. And all this stuff is risk-based anyway. So, you need to have a strategy, right, as a company or what your information security system's going to do. My suggestion, support the U.S. cybersecurity strategy. What's wrong with that, right? That's a good strategy is to support them if they're their customer. So, you can download that U.S. cybersecurity strategy document. It just came out in, I think, October of last year. So, it's pretty fresh. And then align yourself with that. And most of this guidance that we're talking about is really laid out there for you. And I think if you step through that, I think you'll see, like, those 17 basics we talked about, those kind of align with the CSC top 20. So, there's, you know, if you're not in the DOD space and you want to understand how to get started, you can look at for this, what, the Center for Internet Security, CIS, top 20. And they have, of these controls, if you just look at them and start with number one, number two, number three, and work your way through them, you can get to a reasonable level of cyber hygiene, you know, and that's a start if you've done nothing. So, I recommend people do that. Now, if you're in the defense industrial base, of course, you're subject to all these regulations that we're talking about, and it's fine. What was that one in the California Foss Claims Act? Oh, gosh, I can't remember. It was, I think they were sued under the Foss Claims Act because they had... They self-attested. Self-attested, and they lied. Oh, fair enough. So, that's what I'd do to get started anyway. And there is out there, and it's free, is, you know, if you just took that 110 controls, there's actually a document out there that's free that you can get. You can download it. It's an Excel. You can self-evaluate and be honest with yourself. At the end, it gives you a report. Give it tables. It ought to report. So, as you're 37% compliant, you've got 25% in process, and the rest of these, you're not compliant. So, now you have to decide, okay, now what do I got to do with the ones that I'm not compliant? You make a poem. Plan of action, and milestone. Right, and so that documents are there, and you should be doing that now. Whether you've got federal contracts or whatever with all the stuff that's going on, you should be doing it now. All of this, this stuff we're talking about, it's basic hygiene. It's a start. We're getting the cue to close down the show. Awesome. 15 seconds. You guys want to say your last words before we get out of here? I think I just said mine. Okay. All right, work on it. Get started. All right, everybody. Today, we had the tech czar and Andrew, the security guy. Also, Security Matters is Andrew's show. It's Tuesdays at 10 a.m., right? 10 10 a.m., and it's also on YouTube. We have full playlists of both this cyber underground and Security Matters. And if you want to see some great stuff, go back and watch Hibachi Talk, which is the show that we both spun off of. That was Gordo's show. That was Angus' show. And if anybody's watching us there, go see Hibachi Talk, and then come back on my show on YouTube and put a comment down. Tell me who Angus is. I want to know who Angus was. Awesome. Let me know. We'll be back in a couple of weeks, everybody. We're going to change the time to Thursdays at 12 noon in September, and we'll see you then until then.