Listen to learn what organizations are critical infrastructure and how can CMMC can help strengthen an organization's cybersecurity stance.
Critical infrastructure is under threat and has historically shown to be vulnerable. Protecting critical infrastructure is a wide-ranging effort that requires careful consideration.
Katie Arrington (Former CISO for the Department of Defense and mother of the CMMC) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss the current critical infrastructure landscape.
Listen to learn:
Resources:
Katie Arrington - https://www.linkedin.com/in/katie-arrington-a6949425/
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Very excited today about my guest.
I've been wanting to talk to people about, this the critical infrastructure, how to protect it. And I was thinking, who do I who really knows this? There is nobody better than Katie Arrington, and I am delighted that you said yes to this. Let me let me give a brief bio.
Katie Arrington is the owner of LD Innovations and former CISO for the Department of Defense and mother of the CMMC.
Don't panic. We'll explain that in a minute. Now focus on assisting the DIB partners in understanding, visualizing, and mitigation of supply chain risk to include cybersecurity.
Welcome, Katie. Thank you for joining me.
No. Thank you for having me. I appreciate it.
So I think there's a there are a lot of people who listen who who kind of have broad knowledge and some people who are very nontechnical and a lot of people who are have nothing to do with, like, the Department of Defense or or anything that or might think that they have nothing to do with it. So, we kinda need to start baby steps. What is CMMC?
Oh, well, that's an easy one. So back in two thousand fourteen, president Barack Obama, signed an executive order stating that every, company in the defense industrial base, needed to get cybersecurity if they were receiving CUI, and he told the NIST, the National Institute of Standard and Technology, to create what is now known as the NIST eight hundred special publication eight hundred one hundred and seventy one, which is cybersecurity for nonfederal systems.
It had to be in contracts by twenty seventeen, all DOD contracts. And the problem is there's no way to check compliance to the NIST one seventy one.
And we knew, you know, the Department of Defense and I I think everybody knows. I mean, right now as globally, we're losing six trillion dollars a year to cyber theft, espionage, ransomware, you name it. But in the Department of Defense alone, believe it or not, with everybody saying how how great and cybersecure they are, we're losing a hundred and thirty nine million dollars a day.
So that's a problem.
It's a big problem. Right? And when you think that you know? So everybody in twenty fifteen till now, right, was just checking the box.
It was a self attestation. Yes. I am doing the NIST one seventy one. It was a check.
Mhmm.
There was no verification, and you don't lose a hundred and thirty nine million dollars a day in cyber if you're actually doing the things that we recommend doing.
Right.
And then we had a bunch of stuff like GAO reports, the MITRE report delivered uncompromised.
But the, you know, the most telling thing and why Barack Obama president Obama did that was, when we took the f thirty five when she took off Mhmm.
The beautiful piece and she's not she's an an airplane, but she is a weapon.
Mhmm.
When she took off six months later, China took off with something called the j twenty two. Yeah. Which is an identical replica of the f thirty five.
On videos.
Yeah. And you know what's really odd about that is that they built the j twenty two with the original canopy flaw of the f thirty five.
So So there's no way to do that unless they had access to information they shouldn't have had access to.
And it's it's in the supply chain. And this you know, there's a whole conversation, and I I I mentioned it, CUI. Right? Controlled unclassified information.
And if you weren't receiving it, you didn't have to be NIST compliant.
But I argue every business in America should be adhering to the one seventy one. And I'll ask you, tell me one thing in your life that doesn't have cyber.
Well, it's everything, and that is going to bring me to that those wonderful overview of CMMC, its criticality.
Yeah. So let's let's pull it back now to the very beginning of maybe this conversation.
What is what is critical infrastructure? Because what I've heard from people is CMMC only applies to critical infrastructure.
And what you just asked me, right, is is, like, what where does cyber not apply in your life? And so how do we define critical infrastructure?
So the Department of Defense, just so everybody is aware, back when, miss Ellen Lord, honorable Ellen Lord, my old boss, February twenty nineteen executed a memo under my request to make all critical infrastructure CUI, in the government. Okay. So the depart so what we look at as critical infrastructure is, you know, the the power supply, the fiber supply, the water supply, the roads, you name it. Right? Coming into the critical infrastructure.
And and when you look at that, networks are part of critical infrastructure.
Mhmm.
So if you think of the power plant. Right?
Right.
And how the power get you, it comes from an environment, right, of, you know, whether it be, you know and I'll use the names like Duke Power or the Appalachian Power Company. That's coming to you from a network. Right? The energy comes through cyber to you. Right. So we needed to make sure that the critical infrastructure providers were as secure as they could be because what's the easiest way and this is one of the things I've been I've I've talked about this since, gosh, when I was a state legislator.
If you have ever read The Art of War Mhmm.
The number one way to destroy your adversary is from within.
Yeah.
Right?
And I've spoken to people so many times to to almost at nauseam to explain that the next war what you're seeing in Russia and Ukraine right now is that a kinetic war will never be won again because there is not a country that we would consider a near peer or a peer adversary. Mhmm.
So we don't have a lot of capability. Right? So you're seeing in Ukraine and Russia a stalemate of what weapons do.
Now the real war that's going on that's really impactful is a cyber war.
And for people not to think that we're in cyber war is just that and I I'm I it's ignorance. Right? You have been made aware. You can't turn on the TV anymore and not see a hospital system getting hit by ransomware attack.
Right.
The colonial pipeline got shut down because someone didn't change their password.
The a when the system went down. People have to understand that you are living in a world of cyber war. You just may not be, you know, familiar with it. We've had, well, just recently, they busted one of the the the larger, it's called the Hive, which is a group of hackers.
You've heard of Hive?
Oh oh, yeah. This and this takedown?
This is, I I hope I think it's going to be on the SecurityMetrics news or has already been on the news Yeah.
By the time this comes out. But them taking down the Hive, that's a major deal. This is a this is a huge win for for the good guys.
And people just for the good guys. And people don't understand. Like, when we talk, you know, it used to be you know, and I joke around a lot and I say it. And when Al Gore created the Internet, he didn't know what he was doing. Right? He just he he just created it.
But when people actually understand that because technology came on so fast for us. Mhmm. Right? I'm fifty two years old, and I remember my razor flip phone. Right? I thought that was technical.
Yeah.
And because came so fast, we didn't understand the risks associated with it.
Right.
And and how people would use it because it was so new and so much fun. I mean, texting and, you know, when we we got the Internet and we were, you know, AOL, you know, do you remember that?
Yeah.
When we would dial, you know, call it, it came on so fast that we really didn't understand how to develop risk strategies around it. Right. The caveman, right, developed risk strategies around learning how to use fire. Like, when they first found fire, the caveman were like, oh, great.
It's fire. Yeah. You touch it, and they burn their hands. Oh, don't do that. Right?
Sure.
If you put wood near it, it burns.
Don't don't put a a fire in the middle of a wood structure. Like, that would be bad.
We had to learn the you know, what the risks were. And the thing is cyber, and it's not IT. And, oh, I wish people would understand the difference. Right?
There's there are IT people. They do internal networking. Mhmm. You know?
That's their job. Cybersecurity is everybody's responsibility Yep. In a company.
Yeah.
From the people that work in marketing to the people that actually Yes. Maybe clean the facilities.
Everybody has a a part of cyber because it's a part of everything they all do. Yeah. And what we what the CMMC started off, the cybersecurity maturity model certification. Mhmm.
When it was created, was to have a compliance mechanism so we could go in and validate companies who were actually doing the one seventy one.
Mhmm.
But it it was more about getting people educated on the risk and then creating policies, procedures, and risk mitigation strategies Mhmm. To reduce the risk of, of a hit, which by for your listeners, right, if somebody on here is saying, oh, I haven't been hit, you have been hit.
You have been You just Yeah.
Don't know us.
So so there's yeah.
The So For sure.
I always say Hollywood knows and will say things in a way so that we accept them, and then they become a thing. So do you remember the movie minority report with Tom Cruise?
I do.
Okay. And the precogs Mhmm. They would the three people upon?
Yeah.
That was actually AI and machine learning. It was a really pleasant way to tell you that statistics, right, AI Mhmm.
With machine learning can predict an outcome. Right? That's the whole point of it.
The other thing in that, which people forget, was the it was the first time we saw a retina scan in a in the movies. Right?
So that the first time Cruise got on the bus.
Do you remember all the ads were directly Yes. That was the very first time.
Yes. And it it it seems so chaotic and overwhelming to be bombarded by recognizing who you are and giving you, content that you need to pay it or you will pay attention to because it applies to you. But that's what we that's what we're experiencing every day.
Right now. Right? And that movie was made, what, twenty years ago? Yeah. And you think about when you walk in Target today and where you're standing in the aisle, your iPhone or your your Android pops up with an ad of something next to you in the aisle. Yeah.
Folks, Hollywood was trying to tell you. So this other part of Hollywood, so everybody can and they've made this analogy and told the story a whole times. But in the movie Phenomenon with John Travolta, he has a tumor in his brain.
Mhmm.
And he's just armor. Right? But as this tumor expands, he becomes the smartest human being ever to have lived. As the tumor grows, it's actually igniting parts of his brain that we generally will never activate. Now the subplot of that whole movie is his best friend is a farmer, and they're both trying to figure out how to get these bunnies from coming into their farm and their their farm Okay. Their their produce.
And as John Travolta's character is getting smarter, they're trying new and different ways. Like, they're building the fence really, really high, and they're building the fence really, really low into the ground. And then they're putting twenty they're blasting music at the farm to keep the bunnies out and then sending radio frequencies. And as Tom as Tom John Travolta becomes the smartest human being moments before he dies because he's dying, he looks at his best friend and he says, you know why these fences aren't working? And he's like, no. He's like, because the bunnies are in the farm.
And ladies and gentlemen, the bunnies are in the farm. Right? The adversary is the bunny and your network is the farm and they've been in there and they've gone in.
We in America, and I hope we never change, I think our country is worth defending. She is, just the the light of hell.
If you ever been anywhere else in the world, there is a reason why Hundred percent agree with you.
Yep. It comes in there's no line to get into China. There is no line to get into Russia. There is no line to get into Iran. But Lord knows, those three countries alone are filling our universities.
Yeah. Why? Because we are the greatest country with the most opportunity. Right? And our country has done amazing things. When we reduce the risk and we open competitiveness, innovation, we supersede the world in that delta, and no one else has that but us.
Right.
And it's worth she our country is so worth defending, and our adversaries so want to take us down. But it's a lot easier to break us internally than to have a against us.
Yeah.
So nonkinetic war is fought through going through the weakest link in a supply chain Uh-huh.
And then just and China has a hundred year plan.
They work in destiny. They'll like, the the they work over thousand years. Right? China is not a country who has ever had it easy nor do they intend to give up.
Right? Mhmm. And I say every ism, and and you can't tell me an ism, that doesn't get corrupted. Right?
Socialism, communism, fascism, isms tend to be bad.
Mhmm.
China has no, you know, the the great competition we're in, which is massive, they don't have the rules and regulations that we have, right?
And they work off of state owned enterprises, which a lot of people in America don't so they don't have you know, we have Boeing and Lockheed Martin, Pratt Whitney, and all of these different companies come together and they help build weapon systems for, you know, various different services, air force, army, space force.
In China, they don't work like that. They have a state owned enterprise, a senior leader of the CCP, the Chinese Communist Party, sits on the board of that company. There's no competition.
And they have one million people.
Think about that.
Cybercom, maybe and I'll I'll go back and check. But maybe thirty thousand all in on US cybercom. Mhmm. China has a million people that their whole job is to break into networks and destroy or steal our information.
And critical infrastructure is one of the easiest ways to do it.
Yeah. This episode is brought to you by our SecurityMetrics penetration testing team. They do a lot of pen tests. They do a lot, like, network layer, application layer, segmentation checks.
They're very, very knowledgeable and, some of them have even won, like, competitions at Defcon. So you can rely on these guys to know what they're doing. Head over to www.securitymetrics.com, learn more about pen testing. And and do you know you mentioned earlier Colonial Pipeline.
It it was a it was a it was an easy hack. When we started digging into what happened and how they did it, they they had almost no cybersecurity controls in place. I have never been to, a new customer, and performed a new assessment that I haven't seen just a complete lack of organization in their cybersecurity stance or or, you know, major things missing. And so when when we use a compliance standard or a regulation or some type of, you know, something that says you have to do these things, it gets those organizations organized in a way that they that they increase their security sense, that they would not when they're just reviewing their own things.
And so I kinda wanted to come back to that concept that you you touched on, earlier where, you know, like you said, they're they were just checking a box. Yeah. We're supposed to do these things. Heck, yeah.
We're doing those things. But are people actually doing those? Are organization or organizations actually doing those things? They're not.
They're not. And so that's why I just love the CMMC and that you, you know, this really has been your baby from day one. Where are we at with it currently, and how do how do we get people to use it?
So, like, every good thing, you know, the I will bureaucrats are not bad people.
They're just people that are dictated by policy, statute, and regulation.
So the CMMC, there there was a couple of things. When I started it, and I had a great team, and the team is still, for the most part, there.
I started off with a man named John Choi and, doctor John Choi and Buddy Dees.
And I had Johns Hopkins and Carnegie Mellon on contract. And I went to Carnegie Mellon because they developed the CMMI. Right?
Because I wanna They're amazing.
I I've been able to speak to people from there, and I've I've been there. The Carnegie Mellon's, or organization there for cybersecurity, just top notch. Super super set of people there.
And what I and and so let me just preface some some things. I is when I was brought into the department of different defense, I was brought in to be disruptive.
Okay.
I was not I was not brought in as a political appointee. I was brought in as a highly qualified expert, and then I became an SES.
Okay.
And because the status quo was not working.
Right. So you need a disruptor.
You needed a disruptor.
And when we started the creation of the CMMC, Buddy, John, myself, there were a lot of other models already out there. Right? So we had the NIST one seventy one. Yeah. We had NIST cybersecurity framework. We had the ISO twenty seven zero zero one.
The UK actually stood out, as a global leader with the essential eight. Mhmm. Which was started before we did ours. Australia had a plan, and AIA, Aeronautics Industry Association, had a a maturity model.
And when we created it, I really didn't wanna put it into a DFAR rule. Right? Mhmm. Because to me, rules take a lot to change. And and as, you know, as you go through this churn of our process, right, so if for NIST, even back in twenty nineteen when I was in the Pentagon, Ron Ross called me, right, from NIST, the guy. Yeah. He's like, I need help.
I can't get the one seventy one bravo, which is now the one seventy two Right.
Out of OIRA, which is, it's held inside, OMB because of the process.
There's a whole series of things that have to happen in order for these things to be released, and and and it just it can take so much time and be really frustrating. So for sure.
It's so, like, it's like the Congress actually put in a thing, the paperwork reduction act. That you have to provide paperwork to prove that you don't cause more paperwork. It's it's it's insanity.
But Yep.
I just wanted it in sections l and m. Right? Because there were some people that I just you you know, when I and and I regret that now. Right?
The industry was like, no. Because the political winds could change. And if you don't make it a rule, it may go away.
Okay.
I was like, okay.
A longer process. And what's really funny, and I'm not digging on the the current members of the DOD, It's just it it boggles the mind that we spent a year of of the entire country.
So two things.
I get down on myself a lot because the CMMC isn't further along. Right? And if I had not been a disruptor, if I had not been saying you can't do this, you're doing it wrong, stop doing that, I probably would still be at the DOD.
And in in not being there and not being, I guess, a part of it when they they decided to stop and do a pause Mhmm.
To let bureaucrats review what industry and academia had spent a year and a half creating. Mhmm. And a bunch of and I'm I don't mean it in a bad word, but you brought the Tiger team that that they brought in were a bunch of people who've never worked in industry.
That's rough. Yeah. And they're they're looking at the CMMC, and they're like, oh, it's too hard. It's gonna, you know, burden small business. It's going to and I'll I'll go back to the delivered on compromised by MITRE. If anybody hasn't read that report, I highly recommend it. Delivered uncompromised by MITRE.
In it, it talked about the acquisition strategy Mhmm. And the cost schedule and performance of the basis of acquisition, and they said a pillar of acquisition was security. Yeah. And I said, well, no.
You're dead wrong. No. I said, what does your what does it matter if cost if I if I deliver the product at the cost we agreed upon, it it's already the adversary already has it. Right?
So the cost means nothing. And then not by adversary meaning, like, China. I mean, like, your competitor could have had it. Right?
And they get to market because they didn't have the r and d investment. Right? Think about that. They didn't have to do it.
They just took it and put it in, and theirs is much cheaper. So does cost really matter then? No.
Schedule. Okay. If you're able to deliver your product at the time agreed upon in the contract, but the your competitors or adversaries stole it and they were able to, you know, pass you in in, delivery because they didn't have to do r and d and work out on the the widgets. Right?
The the the widget.
So schedule really don't matter unless it's secure.
Uh-huh.
And performance, that's kind of a no brainer. Like, if they get it, they're gonna out they're gonna take that performance level Right. And they're gonna usurp it. So unless security is foundational, it does no good.
So your argument is these other pillars are just nonsensical if this security doesn't come first.
It's the basis of everything that we need to do. And I like that.
The CMMC wasn't put in now it started off as a way to be compliance. Right? Mhmm. But the CMMC is more about understanding that your company has the right mindset.
You have the right policies, the right procedures in place, that you've actually trained your employees on what needs to be done Mhmm. On a day to day continual evaluation and understanding the CMMC brings in every entity within the company.
Somebody asked me the other day during a CMMC assessment, why would you request to have the marketing team there? And I said, I need to know who puts press releases out.
Yeah.
Right? Yeah. Develops your website. So you're not putting any critical information out there.
It's everybody's job.
Everybody's job. Mhmm. And if people and and I think in ten years, this will be a much different conversation than it is right now. Right now, industry is in this place like, well, the government's not telling me to do it. Well, they have been telling you to do it actually since twenty fifteen.
Yes. But without teeth.
Without teeth. And then the the new administration, right, doesn't want to hard they the way they termed it was, you know, we don't wanna make it harder for small businesses to do business with the government, and this is a barrier too high. Well, I don't want them doing business. My tax dollars are what's funding this.
Right? And if they're not doing what they're supposed to be doing and protected, it's a waste of my taxpayer dollars. Sure. Right?
I I I appreciate small business is the bedrock. I own one. My husband owns one right now. I appreciate that. But if you're doing work in the department of defense, you're different.
Yep. It's a higher bar. Yeah.
It's it's a higher bar, and you're the front line of our national security.
My daughter and my son-in-law both serve. My first husband, army, my daughter, son-in-law, army.
And, you know, why I'm so passionate about this is my first husband he's still alive. I wanna make that in a very, very dear friend.
But he was, in an IED attack in Iraq in two thousand seven.
The comms in the Humvee that he was riding around in were shoddy as shoddy gets. Right? Because anybody in the army any any grunt has ever known that when they get into these vehicles, because they're never designed they're designed with a particular height of an individual, etcetera, they move things. They duct tape some duct tape things around. They make it usable for them.
Right.
Well, the datacoms, he was in the turret, and the the communication to the actual people in the in the body of the vehicle never heard him say halt. And they drove right over an IED, and everyone died but my first husband.
And understanding that lives are depending on in critical infrastructure, why it's called critical Yeah. Is lives are depending.
Exactly.
And you you mentioned health care being critical infrastructure.
A health information exchange in HIE Mhmm.
A Cerner, an Epic, an Accenture, what hospital systems run Mhmm. Or doctor networks they run. Can you and this is you know, I say this, and I don't wanna freak people out, but you gotta understand that our adversaries are, you know, turning the power off.
Well, the FAA. Right? What the NOTAM system.
Mhmm.
So how did they get that information? So back do you remember in twenty twenty, we had SolarWinds and FireEye? Yes.
Okay. So the so an adversary was able to inject malware into both of those capabilities.
And when they were able to get into your network or the government networks, it took all the certs.
Yep.
And then it was able to get through all the protection layers because it was the the, you know, the the FireEye and SolarWinds were just like, oh, well, it's FireEye. You can go out. That that was acceptable.
And I made a a big I made a post about it, you know, that that Pete Buttigieg, secretary Buttigieg, and and and the president came out and said it was in a cyber attack. And I say, oh, yes. It was. It's just we think a cyber attack is a DDoS attack, you know, a denial of service. Right?
Right. But there's so many other ways that attacks can be made against our our infrastructure, our organizations, our code, what whatever it is that we value, a cyber attack can be can be leveled against any of them.
And this one was the fact that they had the certs from twenty twenty. They knew that the NOTAM system was incredibly vulnerable.
They knew that it didn't have a tremendous amount of protection around it. Mhmm. And they also knew because we put it all over the news that there wasn't enough money to go rebuild all the certs that were lost.
So Yeah.
That was kinda tough. We're we're not very good at getting organized as a as a country. And and and not just that, but I think that the communication to organizations is and people, individuals is limited so that so that they don't they may be unaware of where these attacks are coming from and and who is executing them and what they what they need to do to protect themselves. So so I think that's why the c m CMMC can be a really good tool to to hold that tide back. But how do we get people to use it?
Well, so the government's gonna make it happen. I mean, whether the the DOD is gonna make it happen whether it happens in twenty three or twenty four. The rule is going through.
Okay.
The and I've I have talked at nauseam. I can't understand why CISA, doesn't use it. Right? And they wanna do self attestation.
And I I get it. Right? Because the amount of money it costs to get certification is something that most people in the government are just like, oh, we don't have the money. Well, do you have a money do you have the money to lose a hundred and thirty nine million dollars a day?
I don't know about you, but if if I took one year and just dumped a hundred and thirty nine million dollars a day into the defense industrial base to help these companies who should already be compliant Mhmm.
Become compliant, get them to where they need to be, we would be ahead of the game. Yep. But it's it's this this pull and and go. And and for and I love the small business administration, and I love everybody who's out trying to protect small businesses. Sure. But the bottom is is they're not gonna be around if they're not good at cyber and understanding the risk down the line. My husband is a land surveyor.
Mhmm.
And, of course, anybody can try and hack into his company because his wife is is the former SIPO with DOD. I dare you. Yeah.
I dare you. But he's a one of the home builders said, you know, what are you doing to protect as a land surveyor, you are the person that determines real property.
Yes. Which is absolutely valuable.
Critical infrastructure. Because you're, you know, understanding that, and they're like, what and a home builder is asking land surveyors.
Nice.
What kind of cyber protections are you putting on? It's like, guys, if if and I know there's HIPAA and FINRA for the health care sector and the financial sector. Mhmm. They're not strong enough, and they're not enforced.
No. They are not strong enough. They are barely a starting place.
And they're the the only way that those those companies so health care. Right? If you're a doctor and you wanna join the EPIC network. Right?
Yep.
They don't just say, great. Log in. No. You have to you get preconfigured devices. You get extreme training for your entity, then you're put on continuous monitoring.
Yeah. And people don't realize all that's going on. So people are like, well, you know, the div, I'm like, guys, if I if I required you to do what is required in the medical industry, you would be blown away. But even that, my big and back to my my my doomsday scenario, like, what gets me up at night?
So let's just say that the and thank goodness the hive has been taken out. They were ransomware. They weren't cyber attack. They were ransomware.
But somebody goes in and and gets into an Epic or Accenture or Cerner or or any of the health information exchanges Mhmm. And just and search malware that deletes the algorithm of pacemaker Yeah. For everybody.
And then the adversary, two days later, after they're sure that that's done, right, they just put out a tweet that said, hey. If You're, pretend, you know, they create a bot that looks like it's from the manufacturer.
Mhmm.
Then if you have this pacemaker in, you're going to go into cardiac arrest within the next six hours. So people flood the hospitals.
Yeah.
Rip it out. Rip it out. And the the receptionist in the ER is logging in and looking, and you get back to the nurse, and the nurse is logging into your system and saying, you don't have a pacemaker.
Yeah.
What are you talking about?
We can get we can schedule you tomorrow for an ultrasound, but we don't see a mat that's how the adversary is working. Right? It's those things that you're just not paying attention to that you think, like, no. Those somebody's taking care of it. If you're not taking care of your own company and your own business, you are you are losing it. And when it comes to critical infrastructure, the most critical infrastructure at any company are its employees.
And if you are not protecting them, you aren't doing anything.
So, Katie, now that you've terrified everyone repeatedly through this conversation Sorry.
Can you can you leave us, with a hopeful note or a suggestion or a way to a way to move forward? You know, one of the things that I that I firmly believe is that self attestation is no no attestation at all. No. Because, people who review their own systems, when they put the systems into in the first place, you're not gonna find what you didn't see when you started. Right? So, what do you think, about self attestation?
It's absolutely horrible. Like, I look in the mirror in the morning. I'm like, oh, I look great. And then I come back twenty minutes later. I'm like, what were you thinking with the eyeliner today? Okay?
Yeah.
Wait till my friends tell me.
Yeah. Like, do I have spinach on my teeth? Self assessments don't work because number one, you're well, number one, in a company, a self assessment, why it will never work is because you are potentially saying one of your coworkers or somebody that you didn't do something right.
Yep.
And that's that's bad. You're putting somebody in the company in a bad position no matter what you do. Yes. Alright? A third party, an agnostic party can come in and just just this is facts and evidence. It's not it it's nothing personal.
So it's and it's needed. Right? And then even in CSAs, you know, the their supply chain, the six steps to a secure supply chain is have a third party audit come in and look and and audit what you're doing.
Yep.
You don't have to so I am I am begging the Department of Defense and the cyber a b to start allowing NIST one seventy one certifications versus CMMC, which is it's because the CMMC has a level one, a level two. Right? So there's a bifurcation.
My thing is right now, people should get certified for one seventy one.
There was an amazing article that Kim Nash wrote in The Wall Street Journal a couple of weeks ago about how, banks and private equity are starting to look at how a company's cyber posture Mhmm. Is in their mergers and acquisitions or if they were looking to invest. So your cyber posture Yep. Is as and here's what I would say.
It's it's coming. There's no avoiding this, folks. Like, get in line now. Get in line later.
It's up to you. But when the light when the DOD and the rule goes into effect, you're gonna be in a line of about three hundred thousand companies that are waiting to get certified.
Right.
And you don't get work until you get certified. So you may wanna rethink waiting.
Although you're supposed to be doing it already today. This is the part that really kills me. You're supposed to be doing it today.
But as a business, it is a value add. Right? It makes everybody you work with go, oh, you're you care about my business and your security. Thank you very much. Mhmm.
People shouldn't wait. Self attestation doesn't work. It never has worked. The third party audit needs to be done.
The the conversations that are going on now, you know, about the the cap, you know, how do you assess it?
And and one thing I'll just say to everybody, this is not supposed to be and I'm gonna use the word, and please forgive me. I don't mean to get it. Like, like, a stopo. Right?
This is not to go in and, like, break chairs and people down. Yeah. It's to assume that you to go through your processes. So in the DOD, how software gets an ATO, an authority to operate, is there's policies and procedures that need to be and and testing that needs to be done before we introduce a piece of software to the network.
Right.
You go into a business, and you have policies and procedures to ensure that the software that you're adding to the network has, you know, checks and balances to make sure that if that that product has a nefarious capability, right, that you have risk reduction strategies around it. Right.
And that it's it may have tested out in another area to do another function, but does it meet the criteria to do the function you're setting it to do?
It's it's just to make sure you've got the right mindset, not to go through and audit every single little thing. But it's do you let me audit one of the comp the the the software, programs, and make sure you've you've done you've actually done what you actually done what you said in your processes, in your policies here, and you're going to execute.
Another thing is, you know, people think that, which is funny. I get a call from a local manufacturer, and I went out there to talk to him.
And I said, how many endpoints do you have? And he goes, well, I think I've got fifty employees. I'm like, oh.
Okay. That's a start.
That's not an endpoint, though.
And he goes, well, they're you know, they they use the devices. You know? And I said, well, no. I said, how many machines are on the shop floor right now?
And he's like, oh, I I wouldn't even be able to tell you.
And I said, and all of those and where our adversary is having fun, right, is because you haven't been aware that at night, that bad boy is calling out and receiving information back and forth. Right? Yep. And you don't know who's coming in and and and messing with it. Right? And the adversary.
I'll tell this one story. Gosh. I don't wanna take up time, but people this is so so I get called out to a company in, like, Iowa. In the middle of winter, the con one of the congressmen out there called and said, hey.
I have a small business. It's a veteran owned small business, and they're saying that the CMMC is unfair. They're a welding shop. There's seven or eight guys, and it's gonna break them.
So I'm like, okay. And I go out there, and this is how I know we'll get there.
Back at the turn of the century, there was no such thing as OSHA, and ISO didn't exist. Mhmm. And you just worked at risk.
Yeah.
Now I went out to this welder, and beforehand, they sent me a note and said, ma'am, you need to wear a long sleeve shirt, pants, and steel covered shoes to come to the facility. Okay? They understood the risks Mhmm. And the security measures needed to protect me and them from me being in that shop floor. Sure. I put on the hard hat, the safety goggles, and the little vest, and I walked along the line that had the red you know, they taped off where you could walk. Mhmm.
So, obviously, they have requirements on safety that they are checked by OSHA Mhmm. A third party to ensure that they are doing the right policies and procedures in regards to physical safety.
Mhmm.
And I walked by this one welding booth, and there's a Mac laptop open. And there's an AutoCAD drawing on it. And at the same time I'm looking at it, I noticed Amazon has just delivered a package, and his wife text him.
And I looked at him, and I said, I don't mean to to bother you know, stop what you're doing. But since I know my husband's a surveyor, I know AutoCAD probably better than I know, like, English. Okay.
I spend a lot of time in AutoCAD. And I said, can I see what you're you're welding? And because he's looking at the the the specs on the weld. Mhmm. And he shrinks it down, and it happens to be to a particular part of a very expensive weapon system.
Okay.
Now his particular part is buried within an engine system. He's he's just welding it together.
But in addition to just his welding specs, he has the whole wingspan Mhmm. On his Mac.
And Amazon's delivered, and your wife's texting you on the same device.
And I just looked at him and I said, that's that's controlled unclassified information. What the hell is it doing on your personal computer?
And he's like, we haven't been hit. And I immediately did all the right things, shut the line down, got them, you know, all the the tools to help them and the resources. The government has resources to help them. But that was like, that is one weld shop who is a service disabled veteran owned small business. This guy is doing it for all the right reasons. He's he is a veteran who wants to continue, and I'm just like the adversary because you're notated on the contract award.
Mhmm.
They're very interested in this capability. I will guarantee you. I will if I go in and we do an assessment, they're in there. And don't you know?
They were in there. And how do you think that the adversary knew how to build the j twenty two after the f thirty five?
Getting it off of machines like that.
Right? How did China, with all intents purposes, right, are twenty years behind us in software development. And they get very angry when I say that, and I have told the chief technology officer of Huawei, Andy, to his face. You know why?
It's because you you've stolen Yeah. Our software. You stole our stuff. You built on top of it.
People have to understand that you may not think that you are a desirable asset for someone to go after. And there isn't a company in this country today that isn't desirable for the adversary because they wanna destroy us from the end. They want to cause mistrust.
So going after the NOTAM system with the FAA causes distrust in our our our flight. The Colonial Pipeline, the hospital systems, the school systems, it's causing distrust. Mhmm.
And that is what will defeat us. Right? So we have to take a posture and how I know we will get there. Right? There was OSHA was not around when the industrial revolution started. Right. We understood the risks.
We created a compliance check to ensure that people and and product were as safe as possible. Mhmm. It is implemented. It is audited.
It is there today.
Yeah.
We will be there. It's just we are in that growing time of when OSHA was stood up and when they decide created the ISO. I mean, think about that. The International Standards Organization didn't just stand up overnight.
Nope. Took time.
It's it's happening.
Right? And people ask me, why didn't you just use ISO twenty seven zero zero one? Well, it's not prescriptive enough. No. There's not an in it. And by law, because Barack Obama said so and they made it a rule, the NIST eight hundred one seventy one is what the DOD must follow. So I couldn't use the ISO standard.
Mhmm.
I integrated it into the CMMC. And the thing with the CMMC that's different is we created a maturity model based on every cyber standard we could get our hands on across the globe, and we cross matched, there's a control in the ISO standard that is equal to the control or the requirement in the NIST. It's just worded differently.
Yeah.
Right? Yep.
And to marry all that together and to do that was a tremendous amount of work. And that's why I say, you know, for the government to come and take a nine month pause to have people within the building reevaluate instead of you know think about the CMMC didn't just appear. We went through four very public collaborative iterations of the model where we literally I think I did three hundred and eighty seven speaking engagements in twenty nineteen alone to get people's input.
Yeah. So I've seen I've seen other people try to do a a, basically, a crosswalk and create a standard and, know, the people who are familiar with those know that they're out there. And the reason that they are not great is because they were not they were just put together by people who went, oh, this looks like this and this looks like this, so I'll make this. Instead of, hey.
Working in the industry, let's evaluate these things and come together with a a meaningful, you know, requirement, that that kind of covers the intent of both. So that's why I'm excited about the CMMC, and I and I really can't wait till it gets put in place. And I hope that more people than just the people who require it. So I I understand that, that, defense industrial based partners are going to be required to do this, But I'm hoping that people that it catches the interest of people beyond those that are doing, business with the the, the DOD so so that that that it it becomes a a much broader thing than that.
In the if you're active duty and they cannot take care of you in a hospital, you are farmed out to a commercial hospital. Mhmm. So they have contracts with the Department of Defense. So tell me how they're not required.
If you get on an Amtrak train Mhmm.
You think that we don't move things on the rail, so, yes, we have contracts with them. We have contracts with the airlines. We have contracts with the airports. We have contracts with the trucking companies.
And so if if people say when I first started this and they said, how many companies are in the DIB? I said, virtually every company in the country has tangentially they may not know it, but they're connected. Right? So Staples.
Well, where do you think the military when we need we run out of paper, where do we go?
Right? Somebody uses their their their the government credit card, and they go and buy paper.
Mhmm.
People gotta understand, like, literally, tell me an entity in this country that doesn't have either in in the academics world, like, all the money that comes from grants for research and innovation. Okay. I really wanna protect that. Health care, new pharmaceuticals.
Think about every pharmaceutical, the suppliers that supply DLA, Defense Logistics Agency, right, with all of their medical supplies.
So virtually every medical supplier in the country, every pharmaceutical supplier in the country is involved in the defense industrial base. It's it's you know, the one thing in this thing that we do, the constitution. Right? We all provide for national security.
We all provide for national security. So I don't I think it's a matter and I I've said this for a long time. Did you ever read the National Cyber Solarium report?
I didn't.
Oh, Google it. Look it up. Okay. So and I I think it started in twenty nineteen, and it's a bipartisan, report that was actually led by Jim Langevin, who I absolutely he is he is a great loss to the house of representatives.
He was the guy that understood cyber on a on a micro level Okay.
And led the charge. But he and, oh, I wanna say it was King who's an independent and, Lanjovan is this is why I say it's bipartisan. Lanjovan was a democrat.
King was an independent, then you have Rounds and Manchin on the senate side who are bipartisan. This is not party specific. This is this is not a political thing. But that national cyber solarium, one of the core tenants of it was a federal cyber certification program. And in that report, they said, point blank, it should be based upon the work the Department of Defense has done with the CMMC.
Excellent. Well, I I will go look it up and read that. I appreciate your your recommendation.
Well One other and and I know I'm over time, but one thing also for your listeners. Right?
Pay attention in the next few months.
The president is gonna be releasing the new national cybersecurity strategy, and there's gonna be a lot more mandates, a lot more, industries. So the CMMC, I think, will move along more rapidly once that happens.
So this has been absolutely fascinating. I really appreciate your time. Anything else before we go? So anything interesting going on in your sounds like you're you're going to be focusing on cybersecurity in your career for the the future.
That's what you Oh, no.
So read that. So Monday, I'm launching a consortium, for supply chain risk management that includes cybersecurity so that small and medium sized businesses can have access to risk and teams of people to help them mitigate risk.
Excellent. Excellent.
So that's my launch is Monday.
So where can people find you if they wanna learn more about what you have going on in in your life?
For right now, because it's through group, just pop me on LinkedIn. Right? That's that's always been my favorite place, to provide information. And when I can talk publicly after the launch, I will make sure that it you will definitely see the news talk about this, but it's, been six months of my life right now to get this with with a group of of amazing, associations and and company. So never give up.
Excited to one fight.
Alright.
Thank you very much for joining me, and I I appreciate you having me.
Alright. Bye bye. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
