This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 1 of 18
Paul Van Metre:
Good morning or good afternoon, everyone, depending on where you're joining us from. Thank you so
much for joining us. Very excited for this webinar today. Talking about a super important, but often
ignored topic for a lot of companies. People are streaming in here. We'll get officially started in a
second, but I would love to start out with hearing where you are joining from. I see Anna and Andrew
and Andy and Austin, all in alphabetic order here. And, Barb and Bill and Brian and Kayley, and Casey
and Craig and Dave and Dave, and it goes on and on. Hailey and Mary and Mary and Matt and Sean and
Steven. So yes, in the chat, Ripley, New York. Very good. First, Vancouver, BC, [inaudible 00:00:55],
Vermont, Montana, Illinois. All right, Kira, welcome. Thank you for joining us. Amanda, all right, Steven
in Dallas, Ocala, Florida, Massachusetts, Toronto, our friends from Canada. Awesome. Montana,
Sterling, Virginia. Data centers, country. Okay. Orlando, New York, Costa Mesa.
Brian Haugli:
Nice.
Paul Van Metre:
Poland. Fantastic. All right. Chandler, Arizona. We have places all over the country, of the world. That's
fantastic. Well, thank you all very much for joining us today. For those that aren't familiar with who I am.
My name is Paul Van Metre. I am one of the co-founders of ProShop. I've been in the manufacturing
industry for too many years. Owned my own CNC shop for about 17 years and then launched ProShop a
few you years ago. So I am excited to be joined today by Brian and Mike from SideChannel. So Brian, if
you'd introduce SideChannel to everyone, that'd be great.
Brian Haugli:
Hey, thanks Paul. Can everybody hear me okay?
Paul Van Metre:
Sure can.
Brian Haugli:
Excellent. Hey, Brian Haugli, I'm managing partner and founder for SideChannel. We are a firm focused
solely on the mid-market and helping organizations realize, build out mature their cybersecurity
programs. Traditionally do this with a virtual CISO offering. And, our main differentiator is, we bring in
and I hire former enterprise CISOs, such as Mike Waters here who's joining us and our resident expert
on the cybersecurity maturity model certification, otherwise known as CMMC. So really looking forward
to the discussion today. And, this is a great partnership, Paul with ProShop and SideChannel, really
looking forward to the conversation.
Paul Van Metre:
Yeah, absolutely. Yes. So our customer are largely small to medium-size machine shops and others in the
manufacturing space. Sorry about the train going by. I don't have control over their schedule. And, many
of them are in the defense and aerospace industry. And so, CMMC obviously is looming for anyone in
that space. And, whether they're in that space or not, cybersecurity should be top of mind for any
manufacturer out there, regardless of whether they support the defense industrial base or not, right?
So, why don't you take it away, Mike?
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 2 of 18
Paul Van Metre:
And so, just for today, I guess a couple of housekeeping items, as questions come up, please use the
Q&A. It's much easier to manage questions there than it is in the chat. If you just want to say hi in the
chat, that's great, but please put Q&A into the Q&A, and we will get to them at the end. And, I think
that's the main housekeeping item. So, all right, we're going to turn off our cameras, I think, here for a
little bit, and then we'll turn them back on at the end when we get to Q&A and wrap up. So thanks
everyone again for joining us and look forward to this content.
Mike Waters:
All righty. So I'm Mike Waters. I've been in IT for many decades and cybersecurity probably since 1998.
Although, I don't think we called it cybersecurity back then. A big chunk of my career was 10, 11 years
building out the information security program, the internal information security defenses at a major
defense contractor. Learned a ton there. Thought I knew what I was doing when I started, learned how
much there was to learn. And, spent the last five years helping other organizations and been with
SideChannel a little over a year now.
Mike Waters:
So we're going to talk about the cybersecurity maturity model certification. We're going to talk about
cybersecurity in general, first and compliance frameworks. And then, we're going to talk about the
special requirements that the Department of Defense has and then an approach to CMMC. And then,
we've got a whole bunch of resources, including how ProShop can help you on your journey.
Mike Waters:
So cybersecurity, I've been in IT for a long time and cybersecurity is not a technical issue, it's a business
issue. And, it's important that we all understand that because that's how we make it work. Some
terminology I want to make sure we all have on the same page with, cybersecurity is about protecting
sensitive information. If it's not sensitive, you're probably not worried about protecting it. And, when we
say protecting it, the things we're trying to protect are the confidentiality, integrity, and availability of
that information. So confidentiality is what most people think of first, keeping secret stuff secret so that
only authorized users can look at the stuff.
Mike Waters:
And, that is one of the three key pieces. Another part is integrity. You don't want random people making
random changes to your data. So only authorized changes being made is information, integrity. Then,
availability, it's in the news a lot lately. It's making sure that sensitive information that you can get to it
when you need it. So ransomware is an attack on availability. You can't get to your data. So that's the
three aspects of information security, protecting the confidentiality, integrity and availability of sensitive
information.
Mike Waters:
So when I say it's a business issue, it's because it's about people, employees, contractors, customers,
processes, and technology, all managing the risk to your confidentiality, integrity and availability of
sensitive information, because you use sensitive information. You follow a process to do something with
that sensitive information, whether it's placing an order, designing a part, receiving specifications from a
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 3 of 18
client, and then turning that into an actual device. It's all about using a process with the sensitive
information to deliver something.
Mike Waters:
And, technology is just part of that whole picture. It's there to help make your life easier, help you do
your job and manage the risk. It's just part of the picture. Some people get wrapped up, focused on the
technology, overlook the people and process aspects, and they do so to their own detriment because
you have to do all three; people, process and technology. Cybersecurity, overall, people, process and
technology is such a large concept that there are various frameworks to help you get organized about
how to do it right. And, there are a lot of different frameworks.
Mike Waters:
They are almost all aiming at the same goals. They phrase them differently, they approach them
differently, they prioritize them differently. So you have to pick a cybersecurity framework that fits your
business. And again, it has to fit your business. And, there are a ton of them. So the United States,
unfortunately right now has no national standard. No national standard for privacy or cybersecurity.
Various states have them and some states are very powerful. New York and California have privacy
standards and to a certain extent, security standards.
Mike Waters:
European Union created the GDPR, which is focused on privacy. Privacy is somewhat different from
security. Privacy is about protecting consumer or individual information, whereas information security is
about protecting business type information. So they align in many ways, but they have different intents.
The line there, NIST, the National Institutes of Standard Technologies. I heard at least one person from
outside the US, I'll make sure people understand, that's a US federal agency. Department? Agency.
National Institutes of Standards and Technology. They create standards and they have a lot of them.
International Standards Organization, ISO, also has a lot of different standards. ISO 27001 is a standard
that many people have heard of and many people try to comply with.
Mike Waters:
CIS, cybersecurity, AICPA also provide standards and guidance on how to do [inaudible 00:09:43]
security. And, there are industry vertical standards. Credit card industry has PCI, healthcare interest has
HITRUST, again, specific to those industries. So I go back to the top of the slide, select a framework for
your cybersecurity program. It has to make business sense. So if you don't do anything with healthcare,
it probably doesn't make sense for you to pick HITRUST. If you don't do anything with the credit cards,
probably don't need to pick PCI. So it's a business decision, what are we going to try and use to guide
our program?
Mike Waters:
And then, all of these standards, almost all of them are voluntary. You don't have to follow any one of
those. That's why you get to pick which one makes sense for you. And, almost none of them require a
third party audit. You decide whether or not you're complying with the standard based on your best
efforts and your internal audits, if you want and that sort of thing. As a result, the sentence on this page,
there's a lot of organizations that say that they are complying or that they are driven by or adhere to
different standards, but that doesn't mean they've been certified or audited. So it's just, yeah, we use
this standard to drive our security efforts. That's kind of splitting hairs.
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 4 of 18
Mike Waters:
Now, you're on this call probably because you're interested in CMMC. So, the US Department of Defense
has special requirements and special considerations for you about which compliance framework you
should pick because they have one that they want you to use. So, the United States Department of
Defense has a massive supply chain. Estimated 300,000 organizations that do everything from lawn care
to delivering complete weapons systems. That's just a huge number of businesses. And, it shares a
tremendous amount of sensitive information with those organizations so that they can deliver the
products and services that the Department of Defense needs. The sensitive information is not classified.
That's a different ballgame, different environment. We'll talk about that another day.
Mike Waters:
So they share a ton of sensitive information and it's now called Controlled Unclassified Information or
CUI. And, that information gets handed out to roughly 300,000 organizations. And, that actually creates
a very large attack service for anybody who wants to steal that data. So the Department of Defense
decided that they needed to provide guidance to their supply chain on how to protect that information.
So they worked with the National Institute of Standard and Technology, several academic institutions,
Johns Hopkins, Carnegie Mellon, industry leaders, and other governments, allied governments, to
develop a standard called the Cyber Maturity Model Certification, CMMC. It's been out there for a
couple years. We're actually up to Version 2 now.
Mike Waters:
The CMC did not just start from scratch. They looked at existing standards and tried to build on the best
of what they had. So, there's references in the CMMC to this [80171 00:13:03] and ISO and several other
standards, Australian Standards, UK Standards. So, this standard is built on all these other standards and
it was recently re-updated November, 2021. Version 2 came out that simplified things substantially.
Mike Waters:
There are three levels of certification in the CMMC and the level of certification required depends on the
level of sensitive information control, no classified information you might be handling. So the first level,
level one, foundational. There are 17 controls. These are pretty straightforward, basic controls that you
should be doing anyway. Also, if you are dealing with the United States government, you are probably
handling Federal Contract Information. It's FCI. There is a completely separate law in the federal
acquisition register, FAR 52 204-21. And, in that, you should be complying with this level one 17 controls
already because that law's been around for a long time and it's in the contracts.
Mike Waters:
But, that is exactly equivalent to level one of CMMC version 2 if you're handling more sensitive
information, more sensitive than federal contract information. So if you're handling controlled
unclassified information, you need to be at level in the CMMC. That's 110 controls. It's equivalent to
NIST 800-171, which has been around since 2016 or '17, which you should be complying with now
already also. CMMC is a successor to NIST 800-171. If you're not doing 800-171 yet, that's something
you need to get onto right away, because you're supposed to be doing it according to the federal
acquisition and the DoD requirements.
Mike Waters:
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 5 of 18
The next level up is level three, which is still under development, but it's more than the 110 controls for
level 2. And, it's for organizations that handle more sensitive, but still unclassified information. It's called
Controlled Defense Information and Controlled Technical Information. So, that's still under
development. These levels of compliance are compounding. So you can't be at level 2 unless you've
already done everything at level 1. And, you can't be at level 3 unless you've done everything in level's 1
and 2. So, you have to start at the bottom and work your way up, make sure you're doing all these
things.
Mike Waters:
The far right column of the table is important. I mentioned earlier, the standards are voluntary and don't
require a third party assessment. So the CMMC does require a third party assessment. So level 1, not so
much, it's only 70 to controls. You need to have a C-level person sign off saying, yes, we are doing these
17 things. So that's a Chief Information Officer, your COO, your CEO needs to be able to legally sign off
and say, yes, we're doing these 17 things.
Mike Waters:
Level 2, there will be third party assessment every three years. That process is also still being developed.
We might start seeing more of those assessments later this year, but they will be coming. For
organizations at level 3, there will be again every three years an assessment and it will be run by a
government agency, still under development. And, we can, during the Q&A, start putting questions out
now, but I can now address questions. It's a lot to absorb.
Mike Waters:
So why should you think about the CMMC for your organization? Well, it's a good framework. It's
certainly worth considering. And, it's been developed not in a vacuum, it's developed by a bunch of
different people in the government, but also industry experts and academia, and a lot of collaboration, a
lot of thought has gone into it. So it's a very well designed standard. So that makes it worth considering
for your organization. Also, since there's going to be third party certification required, when you tell
somebody that you comply with CMMC level 2, and that you're certified at level 2, that can reassure
your business partners that you really are doing everything right.
Mike Waters:
I know it's not uncommon for organizations to receive letters with surveys on them saying, tell us how
you do all these different things. Well, if you can just say, I am certified at CMMC level two, you can get
on with your day and not have to try and answer all these long questionnaires that are coming out.
Similarly, if your business partners tell you they are certified at CMMC level two, then you know that
they're doing a good job because they have gone through all those controls and they've been audited by
a third party. So it's very reassuring.
Mike Waters:
The third bullet there is, if you're doing business with DoD, either directly or as a sub, it's going to be
required 800-171 is required now. CMMC is going to be required as soon as they finish the rule making.
So you're going to have to do this, to continue doing business with the DoD. So, that's a good reason to
choose it. And then, the fact that so much energy has been put into developing this standard, other
agencies outside the Department of Defense have been looking at CMMC and saying, we don't need to
reinvent the wheel, why don't we just use that?
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 6 of 18
Mike Waters:
And, other governments have been doing the same. Allied governments have been looking at the
standard since many of them participated in the development of it and are considering adopting it for
their own use. So it's not that this is narrowly focused on the US Department of Defense, it is entirely
likely that the CMMC standard will become very broadly used across government supply chains. And
then, even if I'm not dealing with the DoD, if I can tell somebody that I'm CMMC certified level 2, that
should answer a lot of questions for any business partner. So it's my grand statement there, CMMC is
likely to become the standard because of the fact that there's third party certification required, that it's
well designed and it's going to be required by at least 300,000 organizations. So it's going to be forced
into the business environment.
Mike Waters:
Compliance approach, what you should be doing. So, first thing you should do is, figure out if you are
doing business with the Department of Defense. If you are, you need to be doing NIST 800-171, and it's
probably then the CMMC. If you're doing business with any other federal agencies, it also seems like a
probable, you should be doing these things. Second step is, determine are you using some cybersecurity
framework right now? I mentioned earlier that they all seem to aim at the same goals. So you can map
from one to another. So if you started out using a different framework, you can certainly map what
you've done to the CMMC. It's not wasted effort. It's not like if you were doing a CIS Top 20, you got to
start all over again. Those are still important things. And the CMMC relates to those.
Mike Waters:
So consider using CMMC for yourselves, because it might be required and it can map to anything else
you've already done. Certification for organizations is targeted to be required by October 2025. Timeline
shift, that is a goal date to keep in mind. If you need to comply with CMMC, you need to be working
towards being certified by October, 2025. If you'd like to get a sense of how your security program stack
up right now, there's a link there in the presentation materials, calculatesprs.com. That, or free, you can
go through and answer a bunch of questions and it'll tell you how close you are to NIST 800-171
compliance.
Mike Waters:
The SPRS in that URL refers to the score you get when you are working towards 800-171 compliance. So
if you go and use that tool, you can find out how close you are to 800-171 compliance, which is the same
as CMMC level two compliance. Yeah, it's a free tool. Just takes a few minutes for you to go through and
answer the questionnaires and then push a button and tells you what you need to work on.
Mike Waters:
There are a bunch of acronyms because it's a government thing. So I thought you should know about
these things as you dive into CMMC because you will run into them over and over again. So, the first
one, CMMC accreditation body. That is an independent organization. It's not part of the US government.
It's not part of the Department of Defense, but it was specifically created to help manage the CMMC
implementation process. So it's the CMMCB-AB. They are in charge of ensuring that training is
developed and that people delivering services are appropriately certified and trained, et cetera, get the
auditors in place.
Mike Waters:
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 7 of 18
Individuals involved in CMMC include registered practitioners. Those are people like myself, who've
gone through to training and taking the tests and background checks, et cetera. And, we are authorized
to provide pre-audit consulting service. Certified professionals is the next step up. They can do as a
registered practitioner can, but can also participate in formal CMMC assessments. Participate. And then,
there's the top of the heat certified assessors. These are people who have gone through extra training
and checks to ensure that they can lead actual formal assessments. And, it's important that these people
go through these rigorous checks and training because the results of their assessment determine
whether or not you can do business with the Department of Defense.
Mike Waters:
So it's important that they do a good job auditing your compliance and give you an honest answer so
that you can deliver services to the Department of Defense as required. And then, there's businesses,
organizations involve service providers, register practitioner organizations, RPOs, provide RPS for
consulting engagements. So I work for SideChannel, SideChannel is an RPO and I'm an RP. There you go.
And then, the next is the certified third party auditing organizations, C3PAOs. I'm sure it's inspired by
Star Wars. They can provide certified professionals or certified assessors. There are not a lot of C3PAOs
or CAs. There are so few of them right now that the assignments to do audits are being managed by the
CMMC-AB. See the top of the slide.
Mike Waters:
Registered practitioners are the people you need to talk to now through registered practitioner
organizations, to ensure that you get a pre-audit done so we can make sure you're on the right track to
get things ready for when the auditors show up. Let's see. Yeah, important website. So the Department
of Defense, CMMC website, that's that. It's out of the ACD, which is the Acquisition Department,
officeofthesecretaryofdefense.mill. CMMC. Sure, you could Google it, but these are the official sites. The
CMMC accreditation body that I mentioned on the previous slide, they have their own website. Again,
it's not part of the government, they're facilitating implementation of CMMC.
Mike Waters:
Then, SideChannel consulting, our own website sidechannel.com. As I mentioned, SideChannel is an RPO
and we have quite a few RPS on staff as well. And now our partners at ProShop are going to talk about
how ProShop can help you with this journey because there's a lot to do. And, if you're going to start
from scratch, that's kind of challenging. So ProShop, I'm going to hand it back over.
Paul Van Metre:
Sure. Thanks, Mike. Before I get into my part, I just had a couple of questions maybe that... I know we're
going to have formal Q&A at the end, but a couple things came up. So October 2025, some people might
think that's a really long way off. Why should I get started today? But then, when I saw your comment
about how many C3PAOs there are, or how few there are, can you just talk a little bit about timelines
and what people might expect and what's going to happen when everyone goes to flood to try to get
their audits and all that?
Brian Haugli:
Yeah. Paul, this is Brian. Actually, Mike, do you mind if I take this?
Mike Waters:
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 8 of 18
Go for it.
Brian Haugli:
So, one of the things that we're going to see, and I just I'll be on camera so we can see me here... one of
the things that we're going to see is, I think there's only about five registered C3PAOs today. Out of the
gate, the anticipation and kind of the discussion that is kind of coming through is, those that are going to
be at that level 3, or expected tier level 2, they're going to be probably front of the line to have to go
through certification. So think about your Lockheeds, your Boeings, your Raytheons, they're going to
have to get their certification and probably have to go through that first. So with a minute amount of
registered C3PAOs, their focus is probably going to be towards those first.
Brian Haugli:
The other half of that is, when you look at other areas that go through a certification and get some type
of accreditation. So if anybody's ever been through a SOC 2 type 1 or a SOC 2 type 2, where you build
your security program, and then you have a third party auditor come in and assess you, you have to
remember that there's a readiness period that goes on first. So you have to get your organization ready,
you have to be assessed during a timeframe, and then you're granted a certification. So you really need
to start thinking about if you plan on being certified by 2025, back that up six months, identify that
you're trying to be certified by early 2025. And then, back that up by a year to a two years to go through
the preparation readiness, make sure that when you bring the auditors in and you pay for them, you are
ready for audit, right?
Brian Haugli:
So, the reason that the registered practitioners and the readiness groups exist and why that whole thing
was created by the CMMC, was so that you can actually get ready and prepare for. The worst thing you
can do is, one, wait till last minute, try to then line up an auditor, fail your audit, and then be in a
position where now you cannot actually be on that government contract. So preparation around this is
looking at the timelines, getting realistic about your organization, how long it's going to take you to be
prepared, factoring in that you might miss certain things, have to fix them before you can actually go
through the accreditation. So, really, just project manage and back your timeline.
Brian Haugli:
So people should really start thinking about 2023 as their time to really, very latest, begin their journey
to get ready. And again, depending on your organization, if you're a larger organization, complex, and
you know you have legacy and technical debt, start sooner. So, that's just some feedback there.
Paul Van Metre:
Thanks, Brian. Do you expect that there will be such high demand for these auditors that companies will
have to get on waitlists and they might not be early enough on the wait list to get certified in time, in
which case, what does the government do?
Brian Haugli:
Absolutely. Yeah. I can't speak for what the government's going to do, but think about it if today, and
this has been in existence for going on two years, right, there's only five certified C3PAOs. If they can
even accredit one per month over the next two years, we're looking at a backlog. So yes, lining up your
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 9 of 18
auditor, getting into that queue, being ready, is definitely something that's going to have to happen. I
don't know how the DoDs going to address the shortfall of approved and accredited C3PAOs, but this is
something that I feel as though the government's going to say, well, we're trying to, and you're just
going to have to deal with it. They have been very clear, the DFARs ruling that's going to come out, if you
are not certified by and through CMMC, you cannot bid on those contracts, which have those
requirements in them.
Mike Waters:
Yeah.
Paul Van Metre:
Yeah. That's a weighty threat, yeah.
Mike Waters:
Let me add to something Brian mentioned, because you mentioned SOC audits. The CMMC audits will
require evidence. So it's not like you can be, get everything ready, and then the auditors show up on the
next day. They're going to want to see evidence that you're doing the processes that you say you are
doing, that are required by the standard. So you need to have 6 to 9 months of evidence to demonstrate
that this is the way you do things. It's not something you just slap together for the auditors. It's got to be
evidence.
Mike Waters:
So there's three types of evidence. One is documentation like blog files. Or if you say you fill out these
types of forms, every time you do a change, you need to bring out a pile of forms to show that you've
done those changes. That's one type of evidence. The second type of evidence is interviews. Where they
will interview the people who are involved in the processes. Not the CIO, but the people who are
actually doing the processes unless it's a process involved CIO.
Mike Waters:
And, the third type of evidence is testing. Where they will actually check and see if something is
working. So if you say you have a control that fires off an alert whenever an unauthorized device is
plugged into the network, they will plug a device into the network and see if somebody comes running
down the hall to see what it was. So you do have to accumulate evidence. So waiting till the last minute
is not a successful strategy. You need to be ready with things in place and collecting evidence, 6 to 9
months before the deadline for getting audited.
Paul Van Metre:
Wow. Good advice. Okay. Well, I'm going to come on camera as well to go over this part of things. So
how can ProShop help? So ProShop can help in a few ways, but obviously there's only a limited scope
where an ERP system or QMS system or MES or whatever, overlaps with the standard in the
requirements, right? So there's a ton of things that are completely outside of anything that the ProShop
might be involved with. But, as sort of the digital backbone of many customers, it plays a pretty crucial
role.
Paul Van Metre:
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 10 of 18
So, when we first learned about this coming down the pipeline, three years so ago, we researched it, we
talked with customers, we did a lot of reading and we decided to start building a bunch of features. So
for the last three years, we have built a whole suite of security features, which there'll be some
screenshots in just a minute here.
Paul Van Metre:
So ProShop customers today can, if you are a security administrator in ProShop, which is a new thing
that we added, you can go to that tab and start configuring those settings. I should mention, those are
things that are currently in ProShop today. We are continually building new features, looking at what
the requirements are and seeing if there's more places that we can add value and make this easier for
customers to meet the requirements. Just very, literally very practical types of things that matter on a
day-to-day basis.
Paul Van Metre:
Yeah, you can go to the next slide, Mike. So there's a couple different areas. So identification and
authentication is one of them. I'm sure Mike and Brian will tell you this, the number one weakest link in
any security system is the people, right? People doing stupid things, using super weak passwords, giving
credentials to someone that they maybe shouldn't give credentials to, or allow them some access into
their system. So we have put quite a bit of work into password complexity regimes. So we no longer
allow the use of the most 100,000 most commonly used or weak passwords. In fact, there's quite a bit of
configurability in the different password schemes that we allow, including the ability to preclude certain
phrases or words from being any part of any of your users' passwords. So you could remove your
company name or your street address or anything that a third party person might use to guess what a
password might be. So you can put as many of those in there as you want.
Paul Van Metre:
And then, of course, probably maybe most important of all is, we have full multifactor authentication
with FIPs compliant, security keys. So, I actually have one right here. So we use these for our own
company. So these little UBI keys. So these have to be plugged into the device that you are logging in
with. And then, you press this little button right here, and that generates a one time code that's only
good for a certain period of time that will not allow you to log in to ProShop unless you have this
physically with you.
Paul Van Metre:
So even if someone does guess or hack your password, or you inadvertently give your credentials to
someone that shouldn't have them, they still will not be able to log in without that physical key. So you
can go to the next slide, Mike. All right, access control. So this has to do with just physically limiting
access of who can log in and rules around that. So we've built the ability to completely configure
unsuccessful attempts. So you get to lock that down to a very, very low number. So someone that's
using an automatic password generator would be blocked almost instantly.
Paul Van Metre:
You can provide and generate your own security rules that would be required probably under the NIST
requirements and CMMC. One of the big things, is there are people in your company that are going to
have to be administrators and administrators by nature have quite a bit of broad access to data. But,
when they're doing that administrative role, they're only doing that a very small portion of their time. So
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 11 of 18
we have built the ability for administrators to basically be able to browse and use the system as a nonprivileged account most of the time. And then, they can just access and turn on sort of that
administrative privilege only when they're doing things that do require that advanced functionality.
Paul Van Metre:
Same thing with, yeah, I guess our edit log, for example. That would be a new feature that allows you to
see any changes that were made into the database, into the system at all. And normally you don't need
to be able to access or use that, but you can turn that on when you are, say, going through an audit or
something like that, or doing some of that testing that Mike talked about. And then, of course... Yeah.
Mike Waters:
Just want to comment. I have clients who are struggling with these facets right now and what you're
doing at ProShop is like, yep, that would've solved that problem. That would've solved that problem. So I
just want to reiterate that these things that you're talking about really are valuable and important for
being able to comply with this standard.
Paul Van Metre:
Yeah, again, they're just super practical things that are, on a daily basis, you got to be able to deal with
them. And if your main software system doesn't do them, how else do you do it, right? You do some
weird IT thing where you're using virtual machine. You're doing remote connections. Or, who knows
what? I'm not the IT guy, so I couldn't even say. But, yeah, I know it can be ultra complex. Again,
whether or not you are ultimately going to go for CMMC, just having some of these really basic sort of
daily use tools can really have a measurable impact on the security of your system.
Paul Van Metre:
We have heard about, and even know some of our customers that have been hacked and they likely
would not have been hacked, had some of these functions been in place for their company.
Brian Haugli:
Yeah. Paul, you raise a really great point. Even if you aren't held to having to meet a certain level,
honestly, a really good security posture is evident in at least the level 1 controls. We're talking about less
than 20 controls that you can put into your organization to meet. And, the number are the things that
you're doing here address those. But, basic security, you would lock your house when you leave it, right?
You might not need a big fancy alarm system. You don't need a patrol. You don't need armed guards at
your house, but you lock your doors when you leave your house, at least most of us do.
Brian Haugli:
So it's simple, basic things. And, when you look at Microsoft's data, when you look at other reports that
come out, a majority of attacks that are successful, take advantage of very basic, fundamental security
components; misuse of administrative privileges, just using a username and password. Again, very basic
things. So if you walk away from anything from this conversation today, don't look at, oh, I don't have to
do anything around CMMC. It's actually a great guiding light.
Brian Haugli:
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 12 of 18
Level 1 controls are, I would consider, basic enough and standard enough to be able to implement in any
organization. They're not going to break the bank and they're going to at least set you up with a decent
foundation. That's why CMMC was built by very smart people who thought about this and created that
level one for a reason, because it's kind of the bare minimum, if you will.
Paul Van Metre:
Mm-hmm (affirmative). Yeah. I appreciate that, Brian. If you go to the next slide, Mike. All right, so here
is a screenshot of our new security tab that's in the config settings area. This is available only for people
that have the security administrator privilege, which is a new privilege in ProShop that we didn't used to
have. So top of the list there, security notice, and there's another page where you can configure what
that actually says, require brand new users to reset their passwords on first login, maximum successful
attempts, terminating sessions that have various... I don't want to read them all. But, just really basic
settings that you can configure to be as tightly controlled as you want.
Paul Van Metre:
And, obviously expert requirements that passwords expire, password validation rules. You can see that
one even says CMMC. So, that's a configuration that has already been mapped or configured in the back
end to meet the requirements of the standard. And obviously, if things like that change in the future, we
will update the features to always be compliant with the latest versions. So quite a bit of stuff that you
can do there. And, if you jump to the next page there, Mike. So, here's just an example. This is
something I just grabbed from our page where we can manage those security tokens, security keys. So
this is actually screenshotted out of our own system. So every employee in the company has their own
key. They have their sessions that are launched when they open their browser and log in. You can set
maximum ages, of course. So you could even lock that down to just be a few hours. So someone
couldn't be logged in much more than their single business thing.
Paul Van Metre:
And, you can see across the top there, there's just quite a bit of other... I don't have screenshots for all
of those, but quite a bit of other areas and pages for that. Can you go to the next page, Mike? Actually,
this is the page where we have the one time password devices. So today we just have these physical
keys. In the future, it's very likely we'll include some other options as well, but these FIPs compliant
keys... I don't even know what FIPs compliant means, I've just heard a lot of people use them. Mike, you
probably know.
Mike Waters:
Yeah, but I'm a nerd.
Paul Van Metre:
What does FIPs compliant actually mean?
Mike Waters:
Federal Information Processing Standard. Another federal standard about how things are done to make
sure that they're secure and they're not easily corrupted.
Paul Van Metre:
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 13 of 18
Okay. So is it kind of the gold standard for hard workies and there are kinds that are not FIPS compliant.
Is that the case?
Mike Waters:
Yes.
Paul Van Metre:
Okay. All right. So, practically speaking, you can issue these to your people. I think they're like $20 or
something. Keep track of them, see how often they're used, when they're used. If someone loses them,
you can disable that one so it can't be used again. Issue them a new one. A lot of people I know, put
them on lanyards that are attached to themselves. So they walk up to their computer. This one even has
a little... you can read that, but a little wifi. I don't know, it's NFC, so it doesn't actually be plugged in,
you can just swipe it right by the computer. It has a reader. And, that just makes that super easy to make
sure you're using that two factor authentication in a very lightweight way that doesn't take a ton of
overhead.
Paul Van Metre:
So that's one. You can go to the next slide. All right. Infrastructure and how ProShop is hosted. So the
vast majority of our clients use our cloud services and we use AWS exclusively, Amazon Web Services.
And, for any clients that are dealing with iChart data or will need to go to CMMC, they use our gov cloud
option. So that is a specific region or area, physical, hosting location on AWS, where they only allow US
persons and they have all sorts of additional security protocols. So clients can do that option.
Paul Van Metre:
This is anecdotal, but we have had clients that have been recently audited by some of the primes who
have said that their gov cloud instance is acceptable to them. We've had other clients say that they have
customers that say you cannot host anything on the cloud. Whether or not that's a misinterpretation of
something, I'm not sure, but that's why we also have our on-prem deployment options.
Paul Van Metre:
So we have clients that are completely on on-prem and even totally airgapped where they're internal
network, where they're handling all this CUI and data is completely disconnected from the outside world
at all. So we do require access to that on occasion to do updates, maybe upgrade your version of
ProShop. So we'll connect for a very brief period of time. Often being monitored by the customer, as
that happens, do the upgrade and then disconnect again, and then they reconnect. Or, they then take
their airgapped network offline again. So, there's definitely options. For us, even for on-prem clients, the
product is identical. There's no different on-prem version of ProShop, it's the same exact product, same
exact code base so it's easier for us to manage, but we just update it on a less frequent basis.
Paul Van Metre:
So both options exist. And, I think go to the next slide there, Mike. All right. So, this is a really important
one and that is protecting the actual CUI. And, I'm actually just writing a blog about this. Mike, you
mentioned earlier, this very large attack surface, all these 300,000 vendors in the industrial base. On an
individual basis with customers, there is CUI in most shops. If you walk into most shops, there's going to
be controlled and classified information everywhere, right? It is in the download folder of their local
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 14 of 18
laptop of their sales people. It's in filing cabinets, it's in physical drawings that are floating around the
shop that have been stuffed into people's tool boxes. It's on their servers, of course. It's in the back seat
of the car of the salesperson that took a drawing from their customer, right? It's all over the place.
Paul Van Metre:
So one of the things that we do, which I believe is very different than any of our competitors, is we have
an entire backend file system that is managed by ProShop. And, this is available of course, to cloud
customers and on-prem clients, that has very configurable access based on ProShop's authentication,
including that two factor or multifactor authentication. And, what's unique about it is that, let's say you
are out on the shop floor and you pull up the latest approved drawing for that work order you're
working on. When you click the link, of course, it's based on your permissions. If you do have
permission, it can open that in a browser tab right there at your machine. And, the important part is that
file is in memory only. And, as soon as you close that tab, it is gone and you never actually copied that or
had it local to that hard drive.
Paul Van Metre:
So when you think about the way we do this, even when you're getting files from a customer, for
example, let's say they give you a login to their client portal, right, where you go download your
drawings and models and customer POs and things like that, if you copy those directly into the ProShop
file system, those never existed on your local network at all. So, that can dramatically limit the footprint,
if you call it, of where you're needing to store and then manage that data. So I think, Brian or Mike, you
can back me up on this. If you are really limiting where you are actually storing data, that makes it vastly
simpler to protect it because there's just far fewer places where you actually have that information. So,
that's one thing that'sMike Waters:
Sorry, you want to have a perimeter and be able to identify where the CUI is traveling. And, the more
you can constrain that, the better it is, the easier it is for you to identify the perimeter and to control it.
Paul Van Metre:
Right. Yep. Awesome. Yeah. I think next slide. I think we're to Q&A. Yes, we have about 10 minutes left.
We have a few here that have been coming in. So let me go through them. Steven asks, how do you
handle your UBI keys at the end of a workday? What would you say to that, Mike?
Mike Waters:
Well, you definitely have to control access to your physical access devices, whether they're door keys, to
secured areas, or UBI keys, you have to ensure that you're maintaining control of them. There has to be
a policy and a process where it depends on the circumstances.
Paul Van Metre:
What would you say is a best practice for a medium sized company that is using physical hardware keys
like that?
Mike Waters:
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 15 of 18
So they're typically issued to individual users to carry with them at all times. So they need to have a
policy in place about, this is how you take care of your UBI key. So probably doesn't go well in your
pocket with your car keys. So you need to provide specific advice about how there should store them
and keep them, but usually UBI key travels with the user. So you need to ensure the users know that
they're not to share them for instance.
Paul Van Metre:
Yeah, how about if they leave at the end of the day, do they store their UBI key somewhere at work, in a
locked area or something like that?
Mike Waters:
That is an option also. Brian, did you have aBrian Haugli:
Yeah, definitely an option. I would think about a UBI key, like you would think about the key to the front
door of your headquarters. How would you treat that? If you have to have that on you, you can have
that on you. Don't just leave it around at the house. Keep it within some type of physical control, right,
and access. Think about it that way.
Mike Waters:
Plugged into your laptop when you walk away from your laptop.
Brian Haugli:
Yeah. Definitely don't do that. Yeah.
Paul Van Metre:
Right. Yep. Okay. Oh, yes. Of course. Do you have any customers that access ProShop to an enclave
environment? If so, how would two-factor application work with the UBI keys? I don't know what an
enclave environment means. Either of you know what that means? Is that like a VPN?
Mike Waters:
So I think your gov cloud example is a good example. So an enclave is any protected area, really.
Paul Van Metre:
Okay.
Mike Waters:
So you can establish an on-prem enclave or cloud on enclave, but it's just a protected area that is, you
get a specific set of controls around those.
Paul Van Metre:
Right. UBI keys, yeah, work regardless of where the hosting is being performed. And, enclave isMike Waters:
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 16 of 18
I didn't answer that question.
Paul Van Metre:
Oh, and he says an enclave is a lockdown virtual environment that you access via RDP.
Brian Haugli:
So you'd probably have to be able to pass the USB connection through the RDP session, if you're going
to go that... I think that's a great question. Definitely something you want to look at your configs and
what you allow to pass through because the physical key will be physically at you. It needs to somehow
be allowed to flow through to the actual target, which would be the ProShop environment.
Paul Van Metre:
Okay. Tyler, we'll make a note. Sarah, if you would take that note, we'll give you that answer. Someone
asked, is there anything stopping someone from screenshotting a file, taking a screen grab? There's
nothing in ProShop that limits that, but I know there certainly are security settings that you can put on
individual computers that don't allow that type of functionality. That would be similar to a company, not
allowing cell phones on the shop floor because anyone could pull up their phone and take a picture of a
screen at any time. So, that needs to be part of a more cohesive sort of it infrastructure policy making
process.
Mike Waters:
Yeah. In addition, remember; people, processing, technology. So yes, there are some technical controls
that can help with that, but more important is that you should have a policy that says, that's not
allowed.
Brian Haugli:
Right.
Mike Waters:
Because then if somebody's doing it, you can say, stop doing that.
Brian Haugli:
Right.
Mike Waters:
Give me your phone, you're violating policies, et cetera. So, the policy is a key part of that. It's not
everything can be controlled with technology.
Paul Van Metre:
Sure. Yeah. Absolutely. Barb asks and Barb is clearly a client, we've decided to have our office manager
using the admin role. However, I, as a quality manager, will be doing the implementation. Will I be able
to change her roles after implementation? Absolutely. You can have someone have more privileged
roles for a finite period of time to help with things like onboarding or implementation and then turn
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 17 of 18
those off as soon as you want to. A couple other questions here. Someone says, I had heard that CMMC
2.0 didn't require third party audits, but the slide that you showed, that still is a thing.
Mike Waters:
Yeah. It's changed since the initial announcement. The initial announcement was that there wouldn't
require third party for level 2, except for some organizations.
Paul Van Metre:
Okay.
Mike Waters:
But, recent statements by DoD representatives, are like, we looked at the sum and it turned out to be
most of the organizations that need level 2 certification. So, it's likely that if you need level 2 CMMC
certification, it is likely you will need to have a third party audit. Because they looked at it, they're, well,
not everybody. Well, maybe everybody.
Paul Van Metre:
So a typical say machine shop that's making machined parts or small sub assemblies that go into defense
applications, they're going to likely fall in that level 2 area.
Mike Waters:
Likely. And, it goes back to something we talked about before the call started, are you handling CUI? So
the way you know you're handling your CUI is, you should be getting information from the government
that says CUI on it. It should say controlled and classified information. It should be labeled by the
government. Now, the government, they're not necessarily 100% on labeling things. Sometimes they
over classify and you'll get stuff that's labeled CUI that is probably not. But if it says it's CUI, you have to
treat it like CUI. Right. If you think it's COI and because it seems like sensitive government information,
this part needs to have these exact specifications and then it's something you only make for the
Department of Defense, that's probably CUI. And if they're not labeling it, you need to actually, in your
best interest, contact your technical representative at the government and say, is this CUI and get a
definitive answer from them?
Paul Van Metre:
Yep. So another question as it relates to ITAR data. So, is ITAR data the same thing as CUI? How do you
think about that?
Mike Waters:
It is. Don't shorten it up. ITAR is a category of CUI. CUI includes defense related things, but it also
includes export controlled information and ITAR is explicitly export controlled. So ITAR information is
CUI information. It's a category of CUI.
Paul Van Metre:
Okay, great. So here's another question. I'm in Canada, how will this apply to me? Or say Australia, for
example, or the UK. Can my company in Canada become CMMC certified? Does Canada have an
equivalent thing?
This transcript was exported on May 09, 2022 - view latest version here.
Getting Ready for the Cybersecurity Maturity Mod... (Completed
05/03/22)
Transcript by Rev.com
Page 18 of 18
Mike Waters:
So Canada and Australia and UK were involved in developing a CMMC standard. If you currently provide
goods or services to the United States Department of Defense, which organizations outside the US
definitely do, then, yes, it will apply to you. And yes, you can get certified.
Paul Van Metre:
Will Canada have their own C3PAOs?
Brian Haugli:
No.
Paul Van Metre:
No. Okay.
Brian Haugli:
It's not like Canada has their own CMMC for how to deal with the United States DoD. Think about this, it
doesn't matter where you are, if you support the DoD in any way, you're going to fall underneath CMMC
regulations. So you can be in APAC, you could be in Europe, you could be in Australia, Mexico, Canada.
Mike Waters:
There's a large Italian defense contractor that needs to be CMMC certified, so, yeah.
Paul Van Metre:
Got it. Okay. Well, we are right almost at the top of the hour. We won't be able to get to all the
questions. We'll try our best to get few answers offline for those that have questions that didn't get
answered yet, but let's just go to the last slide. Just share contact information. If people want to get in
touch with you all or with us, that is the information. Of course, the recording for this will be sent out to
anyone who registered so you don't need to scribble this all down. We'll share that in the email as well.
Paul Van Metre:
But, thank you all very much for your time and attention today. Hopefully you found value in this. Thank
you, Mike and Brian, really appreciate the knowledge that you guys shared. Hopefully again, that was
useful to everyone on the Zoom today. Thank you, Tyler and Andrew, Samuel, Brian. Thank you
everyone for joining us. We'll see you on the next webinar. So have a great rest of your day, everybody.
Brian Haugli:
Thanks, everybody. Thanks, Paul. Thank you. Good job, everyone. Good job, Mike.
Mike Waters:
Thank you.