 Which one's got headed though? Welcome to the precursor for my situational awareness. DFARS for dummies. Yeah. Today I'm here with Andrew Lanning and Gordon Bruce. And we're all just going to work on this book together. DFARS, Defense Federal Acquisition Regulations. Plural, not system. That's what the S is. That's what the S is, and that's DFARS. We're going to talk about why it means something to you if you're a contractor working with the DOD, the federal government, and especially if in the defense industrial base. Welcome, guys. What's up, brother? I didn't know you were live. I was just so we could hear you acting on the way. I didn't know we were on. I didn't know we were on. He's actually introducing the episode. I'm looking at the book and spreading it out. We're trying to figure out what we're supposed to say. Are we the dummies of today? Is that the idea? Because one of us should know something. Well, they're difficult for me. I can tell you right now. Thanks for having us. Hey, it's great having you guys around. This is like Hibachi talk all over again for those of us in the cheap seats now. That was the original show, Gordon's show. And I'm actually starting to miss Angus. Angus Mentec. We got Angus could have been the dummy today. That could have brought him. Because he's like, he is a dummy. Yeah, I'm turning him. His new character is an angry Scotsman. So now he comes on and he's not happy. He's just angry. He's just angry at everything. He could have been angry about yesterday's false alarm. Did you hear that one? Yeah, yeah. Got the call. The sirens went off on the east side, but not the south side. I heard them. I was in Honolulu. No signs. No sirens. Yeah, I mean, I'm walking down a set of stairs and people go, you're going to know what this is all about. And I went, I'm looking at my phone right now and there's nothing on it. I think they're terrified of sending out a message after the missile attack warning. And I don't think E.K. ever got his password back. I put a new post on Facebook. If anyone wants to go check it out, I'm probably going to get beat up over that one. Really, guys. That's another mistake for those of you listening. Not in Hawaii. We have a tendency to have a lot of false alarms out here. And we got another one yesterday. The tsunami warning sirens went off, which is also our nuclear missile attack alert. Which leads us to this new domain, situational awareness. Situational awareness, right? That is one of the new things. What a segue. I just gave it to you. Well, we got to do some backup. OK. Let's go back and talk about the defars. Not again. The brief history way back when with the contracting wasn't balanced for everybody. And there was some shenanigans going on. They came out with these standards. You have to comply with these standards to have a federal contract. Later on, of course, we had the war. And the spies were really prevalent. And we had the whole McCarthy era. And so we added security to that, the anti-spying regulations and the security regulations. So that's all built into defars. And then now we have this influx of huge amount of cyber, everything from ransomware to phishing attacks, things like that. And insider threats are a big one. So it's built into the defars now. And the DOD helped create an organization called the National Institute of Standards and Technologies to come out with a list of control checks for your cybersecurity governance. You control your organization so you can be secure enough to do business with the federal government and the one that's particular to doing business with the federal government, if your organization is not a federal organization, that's called NIST 800-171. It's a set of 110 control checks or then it's listed out in 14 families. And that was going okay. It was self-attested, right? And someone got caught for self-attesting. A whistleblower came up and said, no, no, no, they're not really, they got sued. So I think that was the trigger to get organizations and the DOD to come up with a new plan of attack to get people to actually comply with these regulations. And the problem was, if you're a vendor to the DOD, you have a downstream effect. All these little vendors to you and you're vending to the DOD, if any one of you is compromised in that supply chain, they can get into the castle and break down the front gates. So we want that security to permeate all the way down the supply chain. And the plan now is that DOD is going to make a non-profit organization responsible for training organizations to go out and certify vendors to the DOD at a level of one to five for the new cybersecurity maturity model certification. So now we've brought us all the way up to speed. You think he's done this before? I actually do teach this. Oh yeah, for those of you out there in the chief seats, I actually teach for the University of Hawaii community colleges. I teach at Capulani Community College. I teach network security and ethical hacking. I'm also the IT program director out there and I own my own small business that deals with the DOD called Kapu Technology. So, yep, I cover all this. And in you guys' contract with the federal government and you have contracts out here and you deal with this too, GJB and Associates, Integrated Security Technologies. Both of you guys have been in business for many, many moons and I'm just a noob. So we cover the whole range of experiences in this field. So we can come at this from a lot of different perspectives of how this is gonna affect us. Now, the timeline, and you're better at timelines than I am, the timeline of this starts about now. They met their September deadline of getting out a draft of the new CMMC guidelines. We're gonna see a book on that. Comments must be in by September 25th. Okay, so hopefully we'll make that deadline. You've only got a few days to make your comments on that document. And that's the document, it's the foundation of the review. So that's gonna become, hopefully in January is when they're gonna start certifying companies to go out there and do these audits and certify other companies. That's a tight time mark. Well, I think we'll see an RFP for that issuance unless they just so source it to somebody. An RFP for the DOD org to be the train the trainer. Yeah, they want a nonprofit is what they're saying. Yeah, I think that. So that may just be a direct award, or you know, but I think it'll be funded, right? The monies, it's one of the 15. So the new fiscal year's beginning, it's funded. Oh, that's right. So that effort will happen, then we'll have to line up who's gonna go get trained to become an auditor. And that'll take off. They won't RFP it, if they don't have that much time. So they're gonna, they'll source or sole source it. And the reason I think they picked the nonprofit is that enables them to sole source it. They could do a WOSB, women with small business. They could use an 8A, they could use a Hawaii. Some sort of a training academy. So like, it's gotta be somebody with some breadth, right? So they'll be someone out there, they've got options. And they'll probably pick somebody that they can just go keep them. You've got it, you're in, you've got three months. And we've got 600,000 Fed estimates, defense industrial based companies in this supply chain that gotta get certified. 600,000. No, 300,000. I thought it was 300,000. 300,000. It's okay, we doubled it. 300,000. So if you spin that further. Now it's down to 150, because there's a bunch, 150 of them are scared to death. I'm not gonna go. Yeah, I'm not gonna go. We're not gonna do business anymore, yeah. So 300,000, nine months. There's no way. Well, it's a lot of work. So come September. Next year. Next September of 2020. When we start to get RFPs, issue that have the requirement that you must be certified to X level, one, two, three, four, five. In order to bid. In order to bid, the acronym RFP request for proposal. For proposal, sure. And so you know, in theory, when this is working, you'll have to have been certified already in order to offer a bid to that RFP. Which is awesome. You can do an RFP, you can respond, and they can do an RFI, request for information. And you've got to supply what level you are based on the contract requirements. You have to supply that cert with the bid. So, this is a go-no-go, like we've been saying. If you don't have this, you cannot bid on this contract. It'll be recorded already in the SAM. So we're all listening to SAM.gov. What's SAM? SAM, I should know. Acquisition Management System. We're so used to that. Yeah, SAM is the Acquisition Management System. So companies like us are all listed in there by our CAGE code, which is a, I don't know what CAGE stands. Don't even ask me. I just want FOP. I mean, I know where our CAGE code is. But you can, that's how you want to insert your company in all of its primary codes, NA, ICS, National Industrial Certification Standards. So this is one of your capabilities. Yeah, it'll sort of be in there. So, and that's, that'll, you know, that's how they'll know that you're a valid offer. But without that, you're not in the running. No, well, you might be able to, what I think I see is like protesting like people say, well, it has to be level four, it should be a level two. So they're still going to have this clarification of what kind of material is it that the government is saying has such a risk level associated with the potential loss of this material that it has to be categorized in at one of those levels, one through five, right? I think we're going to see in this book that you just gave me the link to. That's a very book. Neil, our friend is out there, is he's outlined the first two levels are really easy to attain. Sure. It's level three is the one where you actually start doing something meaningful. Yeah, and I think that's, I quite level three to be in like 800, one to 171. Which current state. Yeah, which you can do without, the problem is DeFars leads it. And DeFars has a couple of clauses in it that we've talked about previously, right? About having your date on a hard drive and the people who are at the cloud service provider administrators being clear type people, right? I find it interesting that you said that you think level two is easy, okay? And this is, I'll just say based on, forget DeFars, forget NIST 800-171, just hit, I have a company and I have a tech, I have technology within my company. And first of all, here's one similar, established policies, I can guarantee you there's a lot of companies in town that do not have policies, that's level two. Establish practices to implement. No, okay, establish a plan. So that's like your assistant. So I can tell you right now, there's a whole bunch of companies that don't even do government work that don't even have this. And that's maturity level two. Yeah, yeah, yeah. Well this, that's why I'm- Well it's still easy, it's just people aren't doing it. Right, yeah. Well I'm hoping that this will fix a lot of, because you know, regardless of what industry you're in, right, the defense industrial base is a leader, right? Sure, right, this is the weaponry that we build to secure our country with, right? ACBMs and all that stuff. So, but hospitals are just as important. People die there if things aren't secured, right? Sure, water supply lines. Water supply, utilities, right? So these things are part of partial to our way of life. Yeah, turn off the electricity, see what happens. Right, exactly, we talked about that yesterday. So anyway, so what I'm hoping is that this type of guidance will motivate all of these businesses that are, I don't care who you service, I don't care if you're servicing Neiman Marcus. You know, if you're bringing in POS systems into Neiman Marcus, for example, what's flashing? I must have said something, they're hunting me down. The, you know, but just for example, right? I would hope that those kind of companies will elevate their hygiene, look at this, go, you know what, let's shoot for level one this year, level two next year. Without any prompting from anyone, without any regulatory pressure, they'll start to come up. Cause this is stuff, and to your point, You make a great point. This is stuff they should be doing anyway. So here's another point to all of this, is that, get ready, this is the beginning of the future. This is not just DeFars. This is working more. This is getting worn, but it's going to be required, it's going to be required whether you're, now you all know the banks, insurance companies, et cetera that deal with the money and so on, they have certain rules that they have to comply with. Guess what, these are going to get applied to those, they're going to get stronger and tougher, and I don't care if you're Tarjay, or Walmart, or whatever you are, whatever you are, you're going to have to get to those levels as well. Yeah, sure. No doubt about it. And so that's how what people should look at this as. Now, it's nice cause the government's now willing to pay for it, you know, so when that thing says, level three required, I can justify the delta cost difference between being zero and level three, what does that cost per month for those Microsoft licenses, for example, or for the Azure instance, if I got to have it in FedRAMP, versus having it in a normal environment, and that's no, so they'll now pay for that. So before they weren't, so that's why I think this self attestation stuff was difficult for people to bite off on because it's six figures. I mean, it's not inexpensive to get there. So most small businesses aren't going to spend till they have to. You resilience says it's going to be around a quarter of a million dollars, and I, that's inexpensive. I'm not sure that number's right because in that number they said FedRAMP, you know, $50,000, no, is your FedRAMP $50,000? To set up. To set up. One time, so to set up the instance. And you're a small client, I got another client that's bigger than that, so that was double that. Yeah, bet. So they didn't give you the average, so. Yeah, so I, the delta license difference was like 11 bucks a month per, you know, person. Have a GCC high, right? What's that for? What was GCC? Government compute cloud. Government compute cloud. Community cloud, sorry. Community cloud. So you can have GCC and then you get GCC high. You're going to need high to do the defars, blah, blah, blah. So that for us was a difference of like 49 and 60 or something per E3 or E5, whatever they are. But you can add that to your contract now. Exactly. Yeah, as a cost. So because it'll be required. Yeah, but they still haven't said how they won't pay us. Well, what a, you know, it's going to be in your house. Yeah, but they still said, put it into your bid, but they still are into your price. They still haven't said, and this is how we'll pay you back for it. Right, that's the key. They haven't worked out the detail. Well, so, so, yeah, so again, let's talk about those details. You trust the government? We blew through 15 minutes like that. I know, right? We'll be right back after these breaks until then stay safe. Aloha, my name is Duretian. You are watching Think Tech Hawaii. I will be hosting a show here every other Wednesday at one PM and we will be talking to a lot of experts and guests around sustainability, social justice, the future here in Hawaii, progressive politics and a whole lot more. So please tune in and thank you for watching Think Tech Hawaii. Hello, I'm Mofi Hanuman. I want to tell you about a great show that appears on Think Tech Hawaii. It's all about tourism. In fact, we call it Tourism 101, where we talk about the issues and challenges that faces our number one industry throughout the state. We'll have some interesting guests, very informative dialogue and allow you an opportunity to maybe learn a little bit more by why this industry is so important for our state. It's been great for us in the past. We need it today and especially going forward. That's Tourism 101 on Think Tech Hawaii. Mahalo. Welcome back to our first episode of Defars for Dummies here in the Cyber Underground. Again, I'm Dave Stevens and I'm here with Andrew Lanning and Gordon. This is our third episode. Of Defars for Dummies? Well, haven't we done this a few times? We've done this, but we've never named it Defars for Dummies. We came up with it. Oh, I see. Now it's officially for the dummies. That's why you got me in here. Believe it or not, there is actually a Defars for Dummies book. Is there really the yellow one? Yep, there's a yellow one out there. That's why they got me in here. One contractor was contracted by the organization for that and they don't quite call it Defars for Dummies. It's like defense contracting for dummies or something. Oh, we got to do Defars for Dummies. The saddest one I ever saw on the shelf was Depression for Dummies. If you're reading that book, it's already too late. Or how to deal with it. I don't know. I don't know how to get depressed. The next month is Cybersecurity Awareness Month, so we can talk about all that. Let's talk about Insider Threat and Depression. That's a good one. Yeah, we'll take this on. We'll make this bigger. Let's put up our first image of today, the cover page of the book. This is a free book by CMMC by Neil McDonald. You should tell him. We have a link that we could put up there. I sent that out there too, but it's a really easy link. And if you look this up in Google, you'll come up with that CMMC Made Easy by Neil McDonald. By Neil McDonald? Who is he? See, I'm loading this. I'm loading this. Fire away. No, no, I don't really know much about it. I think he works for the SBA. Small Business Administration? Yeah, yeah, I think. And so his office, I think he helps promote small business contracting efforts. So this comes up under that effort. Neil's a great guy. I've chatted with him on LinkedIn, had him on a show or anything. So maybe we can get him in here. I'm sure he can get him in here. This is a great book. I mean, the book is very good. Well, let's put up the second image here. Yeah, I caught him authoritative on this stuff. He's the guy. So here's how the CMMC breaks down on a high level. These are the levels one through five that you're going to have to get certified on. If your contract stays that you need CMMC level three, then you as the prime and all your subs downstream have to come up to that level. And most Fed contracts will require a minimum three. If you're going to share the information with them. So let's make sure we're clear. Cause let's say, Oh no, that's great. Because if they're not going to share the information, if they're not going to touch the information that is declared CUI, then because perhaps like I'm working, if I'm doing electronics. Control and unclassified information. And let's just say I'm going to decide to install a water cooler. And so I hire a plumber to do that. He's not going to touch the electronic stuff. Just so we're clear. But he has to get into your office to install the water code. This is the debate. This is a lot of the discussion. It's the vagueness of it right now. And that's why the comment period up until September 25th is there. Because there's some areas you can't, you can't make a determination. And I'll give you an example. I had a client or have a client had client that the janitorial service, okay. Are they allowed into their office to pick up the trash and to vacuum on escorted? No. They have to go out. Well, but the question is, so is there material, it's not supposed to be, you're supposed to turn off your computer. You're supposed to close and lock everything that's there. So now there's the other question. Does the janitorial service have to be a US citizen or carrying a green card? Only for 853. 871 does not specify that. Debatable. We're having discussions with that right now. So that's, so now they're going, well, maybe if it goes to level four, they might have to be, but now you're in three. So now everybody's like trying to say, not everybody, but they're trying to say, well, maybe we better be secure to level four, then we'll address level three by doing that. So it's getting to be a really interesting, especially if you've got an ISBOM room or if you've got a secure room, now no one can get into that secure room unless they've got the right clearances for that. Right. And it needs to be properly secured and all of those kinds of things. So if there's a trash can in there and there shouldn't be, right? No, you can, so we enter skiffs escorted. That skiff is different than an ISBOM room though. So I'm going to argue with you on that. Skip this. Let's do acronyms real quick. Skiff, Secure Compartmental Information Facility. Right. SCIF, I don't know an ISBOM. I can't remember that myself. ISBOM is a National Industrial Security Program operating manual. Oh, I got it. So NISP is the guidance for everything that is confidential and above. Let me give you another example that's really gray, but really simple. From a company I used to work for. That's a really easy thing. They went on the base and they took the, by laser measurement, they took the interior space measurements of buildings for janitorial contracts, cleaning, right? And the reason is because the janitorial contracts would just go to the, the contractors would go to the original plans and say, oh, this is 8,000 square feet interior, right? That's not true. You got to take away the elevator space, the stairs, the thickness of the walls and a whole bunch of other stuff. So they go in and measure all the interior spaces and they make maps of the interior, right? The contracting officer said, no, that's not CUI, but you add that to a map of the base that's publicly available and now it's the aggregate of those two things that becomes CUI. See, that's the dilemma. Sure. That's a dilemma. So even if you don't think your downstream people will actually handle those CUI documents, even if they're not marked, the aggregate of other documents together downstream might constitute CUI and you can give them some trouble there. Well, there's, there's guidance. So this guidance is in the NISP. That guidance is specifically written in the NISP, how you do that, how you aggregate that information, how you label it and the guidance comes from the National Archives. So if you want to know what CUI is and what the aggregation of information that could become CUI is, which is the responsibility of the, perhaps the person generating the information, right? So the guy above me, he's not. Let's say I got, let's say I got contract X with one contractor and contracts Y with another and those two things for those two contracts don't matter, right? So they're flowing down to me. This document and this document. But when they get together. And let's say those are level two. But when me, where they meet at my office and now I've got these two documents together and if you could come in and get your hands on them and remove them from my facility or something, that together there was a risk of them now being. CUI. So let's say these, let's say this was level two, this was level two, but together it's a level five, right? That would be scary. So that's, but you do have to mark it. So there's a whole manual about how to mark that information, how to adjudicate that information, how to dispose of it, like I was all handled. So material handling is a big piece of it, but it doesn't, it's all in the NISP. We are confidential and above. And so this is where I think the DFARS, current DFARS 171 will start to expand itself. And we're going to have overlap between what we're calling CMMC level five and confidential. And there's going to be some ugly area there or they'll just take, treat all of it as confidential. Why are we calling it controlled on class? Oh, it's important because they redefined it for based on what was called before. Yeah. So we've created this model down here that's not confidential, but maybe it'd be better to call it confidential. Controlled, unclassified, you've got classified, you've got secret, you've got top secret. And below that you've got sensitive. And who determines which level, who's the one that determines that this is controlled, unclassified information? I can't go back in. It's not like I can pick up a book and it, because it's not real clear. Well, the National Archives says, like engineering drawings, it says clearly. So for me, I know what those are for a mile or so. But then the engineers will argue, okay, but what type of engineering? If I'm engineering a bolt, is that really, is that really CUI? It's a bolt. Oh, it could be. It could be. If I could get the weakness of that bolt going into an aircraft, I know the weakness of the aircraft. So this is the dilemma of it all. I think a lot of the contractors in my experience, when the contractors go, they talk to their contracting officer. The contracting officer said, look, you have these defars in here. You gotta handle your CUI properly. And the contractors ask, what is our CUI? And the contracting officer has no clue. Well, so the way it's written, the government is supposed to identify it for you. It's vague. It's vague. So this is why they went, this is why this went back and was not why, but they were waiting on an RMF too. So the risk management framework 2.0 is out. Everything DHS has switched to the way it is working. Everyone's working from a risk-based model now. It used to be a compliance-based model. So now it's risk-based. So perhaps- Which is much better, because you can check boxes, but that doesn't mean you're safe. It doesn't mean you're safe. And so this bolt example, it's kind of a good example. Even the material in the bolt is at the right percentage of tungsten versus steel or whatever. Stuff like that could be, that's a supply chain problem perhaps if they got fake metal or something, or whatever, I don't know. Or it can be riddled at different temperatures. But the question's still valuable. So what's the risk? Remember risk is a frequency and then the outcome. So is it likelihood? And then if it were to occur, how catastrophic could it be? So there's always that balance. And the bolt example could be more of a structural risk and not any kind of, someone knowing about it matters or not. It could be the bolts on an aircraft or a cord. Let me ask you this. I mean, you guys have done a lot of contracts and this is just me, the newbie, saying this is what I think is gonna happen. When the government comes to the contracting office and says, okay, you guys are all responsible for labeling CUI now and identifying that to all your vendors, right? What's the easiest thing to do? Well, that's one area they've spelled it out well. It tells you how to label the documents, how to cover them. And then when he's identifying what's covered, the contracting officer could just say, no, everything. And they could. And we just, I mean, it really won't matter. It's your tolerance for risk. Part of it is your tolerance for risk, right? It's gonna be your tolerance for risk. What do you think? No, most companies, the FSO is gonna say all of it. Sure. Because they're a security officer, right? Yeah, no tolerance. There's no tolerance because it's there, it's there locally that's on the line. Sure. And they're gonna say that. Now, maybe the contracting officer says, cut me some slack here. We're trying to get this contract done. So this is where the mushiness is happening. It's gonna be interesting to see. And let me throw one at you, because I know we're gonna run out. TAA. Okay, you're gonna throw the, because this is gonna throw me off. Okay. You know, the trade adjustment assistance. Oh yeah. And that's because you, remember that, if you had a contract with the government over a certain size, you could not bring in materials that were made in, say, for example, China. Yeah. But guess what? In all of this NISTA, there's nothing about that. Doesn't mention it. There's nothing about that. So does that mean, in my company, in my company where I'm standing out, routers and switches all over my business, whatever, it's okay for me to put, something? Sonical. Sonical. Those are different clauses in the FAR, though. So that stuff's in the FAR. It's in the FAR, but it's not in the NIST. No, because NIST is just the framework. Framework. Yes, the framework. So you gotta be careful with the whole contract. The whole thing. Yeah, yeah, yeah. All the clauses together. Yeah. There's still a FAR. It's not like you had just D FARs. You have the FAR. You go into the NIST part, and you're using the NIST 110 controls, which is gonna go to 134 controls. That's a great segue. Let's put up image number four. So you gotta go to those controls. It's like, hopefully in there, it's gonna say, TAA, hardware only. We don't know yet how that's in the FAR. That's in the FAR. I don't see the FAR, but my point is it's not in the NIST. Here's our new CMMC. There are 18 domains now. The NIST has only 14 domains. We've added cybersecurity governance, situational awareness, recovery has been taken out, and there's one more in there that was taken out. Incident response. Incident response was already in there. But there's four that were either not there before or were taken out of other ones and made their own subject. Well, they clarified physical I noticed in there, which is good, because it was very vague in the previous one. It was vague. Yeah, but then now they have, they've always had personnel security and physical security, and now they have other ones. This is more requirements. I'm gonna have to dig into this a little bit more, but this just came out two weeks ago. I haven't had time to really vary myself on this. Sure, and it's in draft mode. I mean, the important thing about right now is to ask these questions. That's why you're gonna comment very quickly. Because if we get these questions up, hey, we think this will be vague. How would it be interpreted? Yeah. Or whatever. How will you interpret it? These are the times to ask. To me, there's more, like granular control here than most people are used to. So as they start to work their way into just addressing these basic controls, they're going to come up in their maturity, right? And that's what's important. Can they get to a level where they have that answer about that particular piece of material, and do they have a way to deal with their self-contractors and that management of this material? That's the questions that we'll have to work on. Here's what I recommend to everybody doing this. First of all, start now, because you've got at least a year. If you start with the stuff. Based on what year? It's from September to September. To respond to an RFI, you will have to be NIST level three compliant by April of next year. So April, so you still got several months. This is not panic attack time. But here's what I recommend. If you're gonna do this, go out there and get yourself a project manager, an IT project manager that knows how to present all this information to you. And possibly someone with experience working with DOD contracts. That would be perfect. Ex-military out there looking for work. Yeah, there you go. Security clearance. They're gonna be the perfect guy. In the sense. With our last minute. You guys want to say anything about this? Cause we're at the end of the show. I'm exhausted. And he did all the talk. Well, I like the direction that we're going. The country needs this kind of guidance. We need it regulated cause SS, you know, self-testing wasn't working. And so let's just get to it, just work. That's all, let's do it. I agree. Thanks for joining us, everybody. We're gonna be back in a couple of weeks another Cyber Underground. And within a month, we'll do another DeFars for Dummies. Hopefully all the guys can make it. And, I got my hat. All right. DeFars for Dummies. All right. Aloha guys. Thanks for being on the show. Everybody out there. Stay safe.