 to the Think Tech Hawaii Studios for another episode of Security Matters. We've got one of the industry's most progressive guys with us today. Darnell Washington joins me from Secure Experts. Darnell, how you doing, man? Good to see you again. Hey, Andrew, everything is great. It's been a long time since you've had a chance to meet up at all the various conferences and events that we usually speak at. How are you doing? Yeah, I know. I know. Doing well, man. It's been interesting. Everybody's been going through some changes, but you've got some pretty big news here. You've sort of leveraged, I think, some of this, let's call it downtime to stay busy and bring this, you know, work with the CMNCAB to get engaged with cybersecurity for our industry. Let's talk just a little about where we came from. You and I were talking about that just briefly before we came on air, you know. You remember when we were telling everybody, someday you're going to be audited. You better get your cybersecurity act together. Well, that day has finally come. That's right. Well, what I basically said was that the day for systems integrators to kind of hide away from compliance and hide away from meeting compliance and regulatory objectives, that their time has finally ran out. Now that there's regulations and that we finally have T in the fact that the cybersecurity maturity model certification, which has come up, it's been a long time coming. But from the times that we were talking, both with some of the agencies that we were talking about with PSA and the Security Industry Association, a lot of the manufacturers weren't prepared to invest in the resources to be able to harden into security requirements. And they said that unless there was a funding source or some form of a carrot and a stick for compliance, that they weren't going to move the needle at all in doing what we've been talking about for ages of what was even the right thing to do. So now in January 30th of this year, then the teeth finally came out and they said that we're going to get bit if they don't do it. So we've seen a whirlwind of change, but it's long been overdue and with the supply chain issues. And we're talking about the IoT and cloud security COVID actually amplified a lot of the requirements and the need for this to mature and to come by that. Yeah, for sure. And I neglected to let you give your bio, man. Sorry about that. We just jumped right in because we always do. Give our audience, take some time, give them a little bit of your background and secure experts, some of the stuff that you guys have been doing as much as you care to share. I know we don't give it all away on social media anymore, but just give our audience a sense of kind of your background and get us up to speed. Sure. So secure experts, we're a 20 year old company. We formed in February of 2001, even before 9 11, because we saw the need for cybersecurity requirements as far as, you know, as everything being connected, we kind of can say we had a vision that cybersecurity was going to be very dominant in the marketplace. And as analog started turning the digital and everything started growing into the area where everything was connected, we saw the need for us to being able to make sure that cybersecurity was paramount throughout the evolution of processes as they were being more embedded in the critical infrastructure, national security, public safety, and even into home and entertainment areas. So then what we also saw was we saw that the attackers were looming for a really big tape and our efforts to try to slow down all of the cybersecurity impacts from nation state attackers and ransomware and all this, everything has come to be really self evident by all the ransomware and the data breaches that took place. But as far as by my background, I'm a instructor for most of the cybersecurity terminologies and its certifications, such as the CISSP. But recently, we've developed a lot of training programs that have been used for the Department of Defense and for the Department of Homeland Security. And we started working with them to develop specialized platforms for cameras and network connected devices. And our specialty has been in assessing companies and ensuring that their hardware did not expose vulnerabilities that could be exploited. So I've been in the business now for about 30 years. And if I haven't seen it, it hasn't been seen. We've talked about this before. Andrew, you know I know. I know. It's so fun. So the the training stuff that brings us up. Let's talk a little bit about this licensed partner publisher. So the CMNC was an advisory board or accreditation board, right? They rolled out several different sort of options to engage with the cybersecurity maturity model certification program. And I think that you're this LPP, this licensed partner publisher, you're sort of at the top tier. And I believe you'll be able to offer all of those types of services that fall under it. But tell us about building out this training program, the initial licensed partner publisher. What's that about? And you know, what will be that? What will we learn from that, you know, that foray? It's all brand new. But you know, getting into that with CMNC. Yes. So one of the things that we've been fortunate about as far as with secure experts is that when you're developing the strategies for when you're developing the learning objectives, as far as what does the market really need? And what's the best method to being able to train people from different market sectors, regardless of whether you're in aviation, public safety, national security, law enforcement, transportation, whichever your market sector is, what are the training objectives? What is it that the Department of Defense and what does the world need in the area of security? So they come up with this bucket of objectives of what do they want people to learn? And then what secure experts, because we've been seen as being very visionary in the market, and had so much of a diverse level of experience across all walks of the market sectors. And what they said was they want for us to transform these objectives into usable, actionable mechanisms to being able to train people from all walks of life, from all different skill sets of levels, to be able to comprehend and understand how they can actually learn how to not only protect, but these are the people who are actually going to go out there and assess these organizations to see whether they meet the objectives. So what we're really doing is we're going to be training the trainers to train the people who are going to be assessing the environments. So it's a tough standard and tough part of me, but we've been in the business long enough to have a good level of understanding. But to wrap it all up, really what we're doing is we're taking the training programs and the objectives for the trainers and the people who go out to evaluate over 300,000 systems integrators and companies in the defense industrial base. We're going to develop the training curriculum that they're expected to know and that they'll be tested on to ensure that they can appropriately evaluate these agencies regardless of whatever they do to make sure that they have the proper security controls in place. Do you think that, I mean, because it's so, you've mentioned how disparate it is and how different these environments are, right? So do you think that there will be latitude on the part of these assessors? Like you'll be given them sort of the bedrock training that they know what they're looking for, I guess, out of a company that they're assessing. But will they be given latitude, you think, to allow certain types of mitigations or controls that maybe someone's homegrown or something like that? I can't imagine all the different ways people try to do security. You know, I'm sure you've seen all different things in your time, right? So I'm just kind of wondering how that'll work, you know? Well, Andrew, one of the, and that's a very good point. Let's me know that you're part of the school of the discipline because it is the latitude that creates a lot of subjection to, you know, whether an evaluation is correct or not. Our goal is to make it as minimal as possible for them to have any latitude. And what they have when you're doing security assessments is that there's one called a compensating control. That if you don't meet the control very specifically, there's got to be something else that you have up your sleeves that's equally or more greater that mitigates what that control is. But my goal, and I think the goal of secure experts and the CMMC is to offer as little wiggle room and as little latitude for subjectiveness. But because we have so many different disparate environments and the markets to go for, our goal is to define the appropriate testing strategies and the platforms to being able to provide accurate assessments. And one of the benefits why I believe that secure experts is going to be such a formidable benefit to the CMMC is that we have experience and training at the manufacturer and the product level where we actually can look under the hood of a chip or an IP based camera and access control system or a lot to determine whether these controls meet the NIST or the UL standards where a lot of the other CMMC training organizations or the people will be assessing these environments. They won't have the skilled personnel and resources that have that depth of level of understanding to assess an environment at some of the higher maturity level models like the maturity level threes, the levels fours and level fives where we're fully competent and capable and have performed a lot of the assessments for a lot of the PSA members and the CIA members already. So we have a really good past performance in being able to do that. So to wrap up what you said, we want to make sure that there's this little wiggle room as possible during the processes of the assessments. And really, that just comes from a lot of experience and a good way to be able to teach it across a variety of different personnel and resources. Do you know if there will be like, what would you call it, like a shout out? Like let's say I'm doing an assessment, you know, and I've been trained, I know what I'm doing and someone's offering me this compensating control and I'm like, man, I don't know if that's going to do it or not. Will there be a way for, or is there a mechanism in place for people that are going through an assessment, you know, to get some help defining something maybe so that the assessor could say, yeah, that is good. I've checked with so-and-so and as long as you're doing it this way, that'll work out. You know, it's interesting to me, yeah. Yeah, they have a role for the CMMC, which is a practicing professional, someone who can advise customers as to whether they think that these guidelines are going to be done. It's going to be a formal process that you can have a CMMC certified professional that can go to talk to those people along with the certified assessors. So there's a whole work stream of individuals that can assist, but once you get to the level of the assessor, that's the point where secret experts will be defining the very tight curriculum requirements and the restrictions for how to be able to evaluate. But secret experts is always available to provide guidance and input to the community if there is a question or if there's something they're unsure about. We appreciate shout-outs. Yeah, there's like a level of it. I forget what they call them, RPO or RDO, like they're not the certified assessors, but they're, I think people that are going to try to help companies get ready for their certification. Those are just certified professionals, yes, certified professionals. And those people cannot actually do the assessment themselves because that's called a C3, a certified third-party assessment organization, C3PAO. And those are the bodies who can have people that work under them or consultants that can guide the industry in being able to meet the objectives, understand their requirements, and to prepare them for assessment. Awesome. And then if the, so like, so is the idea going to be that you get your assessment done and then it goes back to the AB for like approval and then they issue you a certificate? And is that, and so then that's something like that I'll be, have to give to my contracting officer correct, like I would have to demonstrate that I have this certification from the CMMC AB. This is an interesting process. You will be, you will be called a sort of an organization seeking certification in OSC. So as you do that, you will register with the CMMC and then they will assign and you will select someone from the marketplace. Of course, hopefully secure experts, right? Yeah. That's right. So once you select us, then we will have certified assessors once they do release the teams of the people who are authorized to perform those assessors. And then we will report independently to the CMMC of what certification level that your organization has been able to apply for and has achieved. And then when the DOD has proposals that are coming out, what they will do then is they will then only issue proposals and RFPs to those organizations that have already achieved that CMMC certification level. So you won't have to produce everything. The assessors will go directly with the CMMC to provide what level of certification you've been able to achieve. And they're not going to publish your CMMC level. But if you don't have a CMMC certification level, you won't be able to receive an RFP. Wow. So that would be something to be listed in SAM or somewhere. There will be, or there's going to be some inventory where they can go look at the companies that could perform on a contract that meets the level that's required. Well, they actually said that they're not going to publish this list. They'll only be issuing the proposals to those organizations that have met that. That way there won't be people who can profess that they've been certified at this level and all that. It's basically an area that will give the Department of Defense an opportunity to identify who their whitelisted vendors are going to be. So the advice that we have to all of our customers currently now that we know that we've been kind of indoctrinated and Andrew, I think we can say we're on the island, right? Now that we're on the island, that what our goal is is to being able to prepare the customers as best as we can now so that if there are things that they need to put in place before the actual training curriculum in the training program comes that we can give them a little bit of a quick start program to being able to assess their current compliance level so that if there are any gaps they can make these modifications. But one of the things that you said earlier in our conversation was that as we start to look at when and what are those requirements and when we need to do those things, there's a lot of work to be done. But once that heavy lift is done, just understanding where you sit in the posture is the very important part. Awesome. Yeah, so I want to get back into the curriculum. We got to pay some bills. We'll take a break for about one minute and we'll be right back with Darnell Washington. Sounds good. Security matters. We are talking with Darnell Washington, the secure experts and we're deep diving. We're getting behind the curtain of the CMMCAB, the Cyber Security Maturity Model Certification Accreditation Board has rolled out its licensed partner publishers, among the first 11 with secure experts. And Darnell Washington is with us today just trying to give us a feel for the background of what's going to happen with this program as it rolls out. Darnell, you and I told everybody stuff like this was coming, you know, get your act together or, you know, somebody's going to force you to get your act together. And now that in the defense industrial base, anyway, our path is clear, you know, moving forward. And I kind of think this is going to roll out across all of the national infrastructure protection plan sectors, you know, all 16 of our Homeland Security sectors over the coming years, once the dibs kind of has this up and running. Do you have, what's your vision on the sort of the rollout, you know, you guys are going to be building the publications that the people train with? How far away are we from having, you know, enough people out there to certify 300,000 dib companies? It's going to take us a little while. Well, yeah, the timeline is, it's supposed to be a five year process. But the first initial certifications, and here's the interesting part, they're going to be looking for those companies that have been in the initial round. It's the first come to the market is going to be in the first quarter of 2021, when the first training content is going to be delivered. We're working behind the scenes to develop the curriculum, but we've already been provided with the objectives from the CMMC. And, you know, we're not at liberty to publish what they are. But our goal is to develop the content. And then actually once that information, that content has been reviewed by the CMMC, then Secure Experts has authorized to then publish that content to those companies. And what once we publish the content, it will go to training organizations, then to assessors, and then to organizations, so that they'll be able to determine what their maturity model is currently. But as far as for the rollout, they said that the first levels that they think that are going to be the most important are going to be the levels one through three. They said that approximately 60% or to 60 to 65% of the organizations that have products that support the defense industrial base don't have that high sensitivity level that require CMMC level three, level four, and level five. And three, four, and five are more of those that are more involved with citywide surveillance, national security and intelligence, and global security. But if one of the things that you said about in the United States, the entire world is looking at the CMMC as the certification model. So what's happening is that even organizations that are not even in the United States, other continent, are looking at this as a model for us to be more in part with the European Union and a lot of the general data protection regulations. So the CMMC has a great vision of being a global standard and security experts is fortunate to be able to say that we are one of the inaugural teams that are designing the content to support such a large, vast area. But with our depth of knowledge, we really do feel confident that we're going to be able to make it then and to bring these things in. So from January of next year, and the whole process of the delivery of the content before everyone can really get on board. And when this machine will really start kicking, I think it's going to be probably the middle of next year before we're really starting to pump up the strategies and the initial companies are going to start getting certified. And with the partners that are going to come on board, it's going to be so important for them because as the attack vectors change, the new people, they're going to create new ways to infiltrate and to attack the cybersecurity framework and how to adapt. So training is going to be evolutionary as well. What might be one of the objectives that might be required to be certified at the original level, there may be a new version that has to be adaptable and flexible because cybersecurity is never going to just stay static. It's always going to be a dynamic, ever-changing environment. So that's one of the reasons why I think that secure experts working and the content development as a licensed publishing partner gives us the first view into what's happening in the world and how we can best protect the world and the United States from the cybersecurity threats that we face. Yeah, I'm glad you missed it because there's this idea that I had my mind just because you know how we update devices, we'll get a firmware update and a training program especially like this around cybersecurity and the way a business is operating on the period of their assessment, how do we know they're operating like that two weeks later or two months later or six months later? I was wondering if we were going to see the idea of a bit of continuous monitoring. I heard that mentioned in the FedRAMP spaces, you know, kind of wrapped around the the CMMC programs that are coming out with some of those FedRAMP providers. Do you think that a program like this could benefit from continuous monitoring or do you think it would kind of be too much of a burden on the, you know, the small businesses and the folks that have to maintain the cert? Periodic audits and continuous monitoring is an essential element of the CMMC program. It's not just the check box but they are pushing all the models to be able to undergo. For example, for CMMC level three, four and five, you do have to have an in-place continuous data monitoring and model in place to support whether those patches have been applied and whether those take place and security experts actually have continuous data monitoring systems and solutions and offerings that are currently in place to monitor customers' environments especially now that they're not evolving a single office. We now have remote third-party telecommunications providers. We've got work that's being done off-premise from remote environments so our threat landscape has expanded so the reason and the requirement to have continuous data monitoring is even more important than ever. So the CMMC has got that that process that's already embedded and built into those. Wow so that's so the higher levels then are probably probably somebody who's kind of got their own shop, their own home bake shop, small business. Maybe you think they can even do this stuff on their own or do you think they're going to need some some serious help from third parties? They're going to need some help from third parties. A lot of people they think that they can do it themselves but like they say the cost of being an amateur can be very expensive. And what happens is that when things are tested and have very rigorous requirements from a third-party assessor it's pretty much cut and dry as far as whether you're in compliance or not and what happens is just the process of redoing something that you've already done because you thought you did it right. You know you don't see Dennis operating on their own teeth you know. That's a good example. A lot of those things going on place but the main thing that we've always talked about is a lot of the core functionality and the foundation elements of cyber security Andrew have been knowing what you have in your environment making sure that your devices are patched. A lot of the real basic things that we've been talking about for five years Andrew that these are the core you know basic ground zero approaches and by being able to support these third party organizations at accomplishing the you know the level zero then getting to level one and you know getting to the level where they can at least identify their assets that are inside their IT environment. Then those are always good frameworks but the NIST cyber security framework was foundational and the NIST 800-171 which is the requirement for protecting confidential and unclassified information for non-federal environments those are the guidelines that these organizations should be following right now and we can say that these are things that are sometimes ambiguous to people who aren't trained and that's why third party assistants will help them along the lines of making sure that they can be compliant. Yeah for sure let's talk just a little bit before we close up we got a few minutes left about the DFARC causes I know the Defense Federal Acquisition Regulations recently got updated. What do you think the greatest impact was from from those sort of changes that we had for you know let's just say for the for the tier one and then maybe the tier three and four I think they're a little bit different but what's your take on it? Well the main thing of course was that people were able to self-certify they were able to say yes I'm in compliance with these things and then a couple of years ago they started hitting these organizations with the False Plains Act where they were disbarring them they were taking assets from their company they were freezing and making sure that they could not conduct business so that was the first thing that they added to third party certification but the next thing that I thought was the challenge was how are they going to be able to start evolving progressive to know when you move from a level one what's the difference between the level one to level two and the level three the areas that we really focused on was Andrew and you'll hear from me from me first every organization should have started at level three levels one and two have never really been acceptable they were always the basics that were just equivalent of saying you should lock your door at night but it didn't talk about anything about having an alarm system or a camera or anything on your house it never provided you with the appropriate level of protection that you should have had it's like a car without brakes you know that's the level so if we're finally getting to the level where we really should be this presents an opportunity for us to reach a cyber forward strategy that we should have been a long time ago and now that the CMMC has brought teeth to the game where it's enforceable and people can start moving forward I think that these organizations should start building and looking at the level three as their entry level to protect their appropriate environment to the level that I think that they should be I love it Darnell I agree a hundred percent people it's time to pay attention don't settle for the bottom of the basement when it comes to cyber security shoot for level three to CMMC's great guidance if you don't know what to do you don't know how to start and if you haven't started call Darnell over to secure experts and get some help get some guidance they'll be rolling out this curriculum for us next year well I'll get our hands wrapped around what's root what this is going to look like when the assessor walks in the door there won't be any reason not to be prepared but you got to start now it's not a really easy lift. Andrew I gotta let you know it's not just me we have a whole team of folks you know you got Desiree all the rest of the team there's a whole army behind secure experts to make this stuff happen. I definitely couldn't do it all myself a little bit. I'm ambitious but I know. Awesome thanks so much Darnell I really appreciate you spend your time with us today take care of yourself watch your hands wear a mask I'll talk to you soon sir all right thank you very much take care