– Hello, everyone, I’m Nate Fields, associate editor for Modern Machine Shop. And I’ll be your moderator for today’s webinar, Navigating Defense Work Amidst the Rapid CMMC Rollout, brought to you by ProShop. So in this webinar, discover your best path forward in the world of defense, work compliance in this informative session. Secure your future in defense. Our presenters today will be Paul Van Metre and Nick Preece, Tyler Kowalczik. And let’s see, Paul, do you wanna do the rest of the introductions?
– I can certainly do the rest. Yeah, thank you, Nate.
– All right, thank you.
– Appreciate it, hey, everybody. Thanks for joining us today. I realized as Nate was describing the title, maybe the word rapid should not actually be in this, ’cause it has been anything but rapid, but it is picking up speed at this point. So it is an important topic, especially for anyone that is at all in the defense industrial base supporting the government and defense contractors. So if that’s you, you’re in the right spot, and I am excited to introduce the guests. We’re gonna start just real quick with our, well, actually, maybe some housekeeping. So, you know, in this platform, there’s the chat. I think you can chat in there, share. I always like to ask people where they’re joining from, so we can see where in the country or world people are joining us from, so if you’re open to that, go ahead and throw that in there. And then there’s the formal Q&A section. So please, if you do have questions at any point, please throw those in the Q&A, and we will definitely have time for those at the end. You’ll also see there’s a couple of handout links that Eric’s, thanks for kicking us off in Frederick, Colorado, Leander, Texas, Dubuque, Iowa. Awesome, thanks, everybody. Love it, love it, love it. There you go, there you go. And we’re gonna start just by sharing our mission statement. We always start with this. We think it’s really important, ’cause it truly drives what gets us excited every day. We deliver powerful manufacturing software by deeply understanding our client’s challenges in order to meaningfully improve their businesses and in turn, their communities. And for all of you that are working in machine shops or precision manufacturing, you are the foundation of our economy, so thank you for what you do. And let’s get into the agenda, and I’m gonna then introduce our panelists and guests here today. So we’re gonna be covering just kind of what’s the very latest. There’s always changes and delays with CMMC, so we’re gonna kind of touch base on that, talk about getting certified, the process. We’re gonna talk a little bit about how ProShop is helping. We’re gonna talk with Nick and Tyler about their journeys on their CMMC compliance roadmap, and then talk a little bit just about marketing it and sort of going forward, what you should be doing there. So love to start next by introducing Nick Preece, one of the co-founders of Preece Machining & Assembly. So, Nick, welcome. Thank you for joining us. Do you wanna tell us just a few words about Preece?
– Yeah, thanks so much for having me, and I’m really grateful to be here, and I agree that rapid maybe is not the best word.
– Totally.
– But I get what you mean by that, you know, getting more serious more quickly. But, yeah, so Preece Machining & Assembly, we’re located here in Boulder, Colorado. A large percentage of our business is aerospace and defense, and so CMMC’s been something that we’ve been getting told about by our customers for probably the last three or four years, certainly before COVID. And then we really started working on it over this last year and, you know, just kind of chipping away a little bit at a time. And so we’re primarily a milling shop, and, yeah, so we were started in 2018, and that’s about all I could say.
– Yeah, I got to visit Nick’s shop a couple of weeks ago, beautiful shop. So you and your brother started it, and correct me if I’m wrong, you mostly had watched YouTube videos on machining. And was it the first machine you ever saw in person was when it was being delivered to your shop?
– Pretty much, yeah. I was an engineering student and got into YouTube videos, was watching NYC, CNC, and John Grimsmo.
– Yeah.
– And thought I’d just get a machine just for myself, just to play with and was gonna do engineering, like, was gonna do larger, like, more R&D projects for people, and it spiraled into a machining company. We can only do machining at this point, so.
– Awesome. I love it. Accidental machine shop owner.
– Yeah, who knows.
– Awesome. And could I maybe have you go on mute when you’re not talking?
– Yeah, I know you can hear the machine.
– You guys are making chips in the background, which is a wonderful thing. And Tyler, I’d love to have you introduce yourself.
– Yeah, thanks, Paul. Thanks for inviting me to be a part of this webinar. So I work for Component Products. We are an aerospace manufacturing company located in Mukilteo. We’ve been around since 1967. It’s actually a third generation family-run business. And yeah, we started our CMMC journey back in 2021, and initially we were going for CMMC level one, but then we decided that it would give us perhaps a strategic advantage to pursue CMMC level two. So we’ve been on this journey for a while.
– Okay, and thank you for all the help in prepping. I know people will come to understand you definitely know your stuff around this, so I appreciate that. And Kelsey, how about you introduce yourself?
– Yeah, thanks, Paul. Hey, everybody. I’m Kelsey Heikoop. I’m the CEO at ProShop, co-founder with Paul. And you know, I haven’t been on a CMMC journey since when probably we should have, but I did actually follow it back in late 2017 when we were like, huh, this is coming into effect in January of 2018. Anyway, it was a good wake up moment I think for everybody. But I have had a lot of experience in compliance, you know, quality and implementing true security practices. And so that was something that I felt was important for the industry. And I think that’s even maybe a main takeaway for today would be, you know, think about the difference between CMMC compliance and good security practices. And you might find that the delta is not as high as you thought. So good security practices and ransomware is everywhere. There is a lot of people who want your very important manufacturing information, not just to ransom it back to you, but for all kinds of other reasons. So actual security, totally aside from certification.
– Yeah.
– You should invest in that. And this is part of that journey.
– Yeah, solid advice always. And myself, I am Paul, I am the chief revenue officer and co-founder with Kelsey. So he and I met in college and built our machine shop Pro CNC for 17 years and eventually sold it and started ProShop about six years ago. So been having a fun time. All right, let’s kind of level set here, what we’re really talking about here today. There’s gonna be a lot of acronyms, a lot of things depending on how far along your knowledge journey. Some of this might be like drinking from a fire hose, for others of you, it’s, you know, you could probably run this thing yourself, and we’ll get into the terminology in just a couple of more slides, but basically, if you are serving the defense industry as a manufacturer and you are receiving what’s called CUI or CUI, controlled unclassified information, in the form of drawings and models and things that you’re gonna be manufacturing, back me up here guys, they’re gonna have to get CMMC accreditation. Is that a fair way to say it?
– Yeah, I think that’s fair. And surprisingly we always wanna put something after CMMC even though the last word is certification. So it’s one of those, yup.
– And as we are prepping for this, and as you alluded to Kelsey, this is actually the NIST 800-171, which CMMC is gonna be the 2.0 version, is pretty much largely based on, has actually been the letter of the law since January, 2018. Can you just elaborate on a little bit about that?
– Oh, I mean, it was one of those moments where, you know, it’s like clearly there was a need for securing a bunch of important information, especially because our economy is built, you know, from so many building blocks, from foundational machine shops that are, you know, small but incredibly powerful and mighty in the chain, but often many levels down. And so securing information higher in the chain isn’t nearly as effective if you can’t secure it lower in the chain. So they realized this and it was part of, you know, a long journey to get to here. I think some of the original work was passed in the early 2010s, but this was the clear directive that manufacturers, heads up, you gotta meet this requirement, especially if you’re doing DoD work, of course, but that was largely just unpublished. Like, you were lucky if you even knew this even existed, let alone, you know, where you really need to be. And I think that the genesis from my personal opinion of CMMC was that they said, we gotta actually enforce this if people are gonna take it seriously. Because after four years in 2021, there was a near zero adoption, like, an insignificant amount of adoption on this mandate. And so it was like, okay, let’s make it like the other standards, right? Let’s make it like an AS requirement or make it like a ISO requirement, and really have a way to get certified. And there’s been some bumps along the way, for those of you who know, in the accreditation and in the Cyber AB. But fundamentally, it’s following in the footsteps of many other, I think, very successful and probably very impactful for the actual reasons that they should be in place. And this is what I wanted to say again, which is doing these controls, once you read them and you understand what they are, they’re all good security practices. A few of them are a little more onerous than you want. You’re like, really? I gotta aggregate my logs for, you know, analysis? But most of them are like, just yeah, just do that thing. It’s great. You can lift your SPRS score just by realizing you wanna be safe. So that’s a little bit of the history and also a plug for do a bunch of this even if you’re not headed for CMMC.
– Yeah, and Tyler or Nick, Tyler, you were mentioning about the DFARS and having this starting to show up on some of your contracts and your customers. Can you just share a little bit about your thoughts on this?
– Yeah, I know that our customers have been asking for a while now for us to prepare for CMMC. It’s kind of been, you know, a little bit of a buzz word, but you know, it still seems like there’s some confusion when it comes to how this is gonna impact procurement practices. It seems like the tendency right now is that tier ones and government buyers are going to overprescribe this rule. Case in point, you know, our company got a pretty simple part. Just the other day we were reading the contract, they put DFARS 7012 on there. So, you know, it’s coming. It’s gonna be pretty far reaching I think. And from what I’ve heard from, you know, major primes and tier ones, they’re starting to cut off suppliers that aren’t NIST 800-171 compliant.
– I have heard that from a few clients of ours. So, yeah, and didn’t you say that was like for some kind of washer, something super simple? Not really, actually.
– Yeah, it was a spacer.
– A spacer.
– Yeah.
– Yeah, so yeah. Good case in point about maybe over-prescribing or just really being the letter of the law, ’cause if it goes into a defense, you know, vehicle or some, it’s gonna be controlled. So, all right. And for anyone that’s been following this for the last many years, you know, there’s been lots of delays, lots of changes, revisions from 1.0 to 2.0. So I would love to let one of the three of you kind of take this one, ’cause you’re a little bit more in the loop than I am. But there’s been a proposed rule that’s due any day now, is that right?
– Yep.
– Yep. The rules, which is like a defined term in this case, are coming out hopefully. I mean, there’s a whole bunch of compliance nerds who are all like sitting, waiting for this to be published. But the rules are imminent. There’s a lot of folks who are joking. It’s, you know, a Christmas present. I don’t think for most of us that this is the Christmas present we’re hoping for. But certainly in the compliance space it’s pretty important. And then, of course, you know, just moving a little further along, there has already been a lot of motion into a third revision of the 800-171 standard. And you know, I’m not an expert in the delta between those two, but my understanding from some of the folks I talked to is that it’s enough of a change that this is not like, oh yeah, you know, we put a few T’s, dotted a few I’s, crossed a few T’s and we should be good. There’s material changes and like most compliance for any type of certification, this will be an ongoing thing. But hopefully, it’s like the other ones, which is they’re actually doing the hard work of figuring out how to make it both easier and safer at the same time. That’s our wishful thinking.
– And Tyler, when you’re prepping for this, you mentioned that this is a proposed rule change for CMMC. Can you define kind of what that means? What does proposed mean?
– Yeah, proposed means it’s not gonna be effective. Like, it won’t go into contracts until after a certain time period is transpired. So it’s gonna be a year after the rule is published is probably when it will become effective. If it was an interim rule then it would be eligible to be included in contracts. But from what I’ve heard, people think that it’s too big of a rule for it to be interim. Like, they’re gonna need to solicit feedback from the DIB and maybe make some changes that they can. But I’ve also heard that changes at this stage of the game are pretty rare. So it’s coming, as soon as it’s published, you know, that timeline where companies can get prepared is just getting shorter, so.
– So if the proposed rule is truly coming out any day, does that mean you think it’ll be in effect sort of letter of the law about a year from now, next, you know, December of 2024?
– That’s what I’ve heard. You know, that’s what people seem to think.
– Okay.
– Yeah.
– And also, just to make sure everyone’s clear about this, so, you know, CMMC is not the same as NIST 800-171, but at this point the version 2.0 is almost verbatim, you know, pointing to the 800-171. So that rev 3 of the NIST standard will directly affect the requirements of CMMC. Did I get that right, guys?
– I think everybody thinks so.
– Yes.
– Yeah.
– All right, very good. Yeah, and the key takeaway, just ’cause it’s been delayed, yes, that’s true. But this is coming, don’t bet on it going away. I definitely have heard people say, ah, it’s never gonna happen. And I think they may be sorely disappointed when it actually is in place and they will no longer be able to bid on or do the jobs and contracts they have done in the past.
– And one more little pitch for.
– Yeah.
– Do the stuff you know is improving your security posture, ’cause that’s always good. Like, if you’re not starting anywhere else, start with the stuff that makes you more secure and less susceptible to intrusion and data loss.
– Hi.
– Good advise. Yeah, go ahead, Nick.
– Well, I was gonna say, I feel like that was me a little bit, kind of, like, yeah, it’s never gonna happen. ‘Cause I feel like we’ve been doing this and hearing about it for so many years, and I didn’t start taking it super seriously until as part of the onboarding process we’re starting to get entire interviews on this subject and being really questioned about it. And so that was probably about a year ago now and that’s when we kind of were like, okay, it’s actually happening. But prior to that I was on that boat of, yeah, we’ll see, you know?
– So.
– Yeah, yeah. Well, you know, it’s not surprising that, you know, people have had that position, because there’s been so many delays and so many changes that-
– It’s just been talked about for so long.
– Yeah.
– And we were told by one of our customers. The first time we heard about it, they were like, you need to be ready for this probably within a year. And that was like 2018, and we hadn’t heard about it from that customer since. And do you know what I mean? It’s really easy to let it slip.
– Sure.
– And until it’s not, until you start getting asked about it, which is what happened to us.
– So.
– Yeah, and the exponential rise in cybersecurity crime over the last five years, if you just look at that on a graph, it’s not even remotely close to linear. It’s so parabolic. And that’s why this is getting so much attention in my opinion, is that this stuff is getting lost. Information is getting lost at just a prodigious rate and that’s gotta get tightened up.
– Yeah, for sure. And we’re gonna launch a poll. We’re gonna just a one question poll. We’ll do another one at the end as well. We’re just asking about CUI. So please go ahead and answer that while we talk about some of these terms. And this is obviously a considerably smaller list. We’ve already, you know, mentioned a few others, including the term DIB, which is defense industrial base. But just maybe one of you guys wanna sort of go through this a little bit, just briefly talk about these terms. You wanna take that, Kelsey or Tyler?
– Yeah, I’m happy to have you do it, Tyler, if you want, but also, yeah.
– Sure, I’ll take a couple of them. I’ll let you handle FedRAMP, ’cause I know you guys have some familiarity with that.
– Yeah.
– So CMMC, Cybersecurity Maturity Model Certification, that’s what we’re talking about today. That is going to be the assessment framework that is going to allow companies to get certified that they’re meeting the controls of NIST 800-171. C3PAO always makes me think of C-3PO.
– Of course, everybody.
– Right, but that stands for CMMC Third Party Assessment Organization. They’re gonna be the organizations auditing you. And they’re the ones that get accredited or the ones that get certified. The other one, and then I’ll let Kelsey take the rest, is MSP, Managed Services Provider. That one’s kind of near and dear, I guess, to my heart, ’cause we’re a small company as I’m sure lots of other manufacturers are and we don’t have in-house IT expertise. So it’s a very important piece of the puzzle, is making sure that you find an adequate service provider.
– Awesome, thank you, Kelsey, you wanna take the others quickly?
– Yeah. Yeah, for sure. Just real quick, you know, organization seeking certification. That’s just all of us as machine shops. You know, like, hey, we gotta get certified. And you know, assets are something that are pretty easy to talk about, because they’re kind of everything that, you know, everything that would have value to your organization is some level of asset. But in terms of cybersecurity, we’re really talking about assets that, you know, have this interaction with your key information, with your information that should be controlled. Now in most cases there’s tons of information you should keep secure, but in terms of certification, they care about ones that are identified and classified as controlled, right? Controlled. And then FedRAMP, real quick, that is actually a sort of outsized, standard. And what I mean by that is that it’s significantly more onerous than a CMMC requirement and it usually covers an entire organizational stream. It’s actually specifically for products. And you can check it out, FedRAMP, and they have a whole marketplace of all the products that have achieved an ATO. But the reason this is particularly important is because of that DFARS clause we talked about before. And they have specific language in there about FedRAMP moderate compliance and equivalence, is actually the word they chose to use there, which has everybody talking about it. But that’s important.
– Thank you, guys. All right, let’s talk about assuming that a shop understands that, yep, they have confirmed they do, they are getting CUI, they are serving the defense base. What do they need to do to even understand and start their journey if they haven’t already? So I think as you alluded to, Tyler, you know, finding a subject matter expert to help you, so MSPs can be that? Are there other types of organizations out there that could also be an expert to help?
– Yeah, so our journey actually started off with consultants. And so, you know, a consultant could be a subject matter expert. I don’t have a lot of familiarity with this, but I do think that some people provide, like, cybersecurity as like a service. I don’t know exactly what all that entails. I don’t think it means that they’re necessarily managing your IT, but maybe helping you with your compliance programs. And then, yeah, an MSP though can sort of function as a virtual CISO, which is what our MSP does. And CISO stands for chief information security officer. That’s the person that’s essentially responsible for executing on vision and strategy for your cybersecurity processes and maturity.
– Awesome, okay. And Nick, I know you’ve been looking at your CUI and your categorization of assets. Do you wanna share a little bit about number three with us?
– Oh, sure. I can try my best here. The machines are possibly about to just all kick on at the same time.
– It’s all good man.
– So our journey’s a little different than going with a service provider. We have somebody in house who’s been, we’ve been tapping this kind of slowly. And so the first thing we did was like, it says just literally mapping the flow of CUI as we’re receiving it and as it’s going out to the production floor, and then what’s happening to it after that. In terms of categorizing our assets, I don’t know that I would be the person within our organization to directly comment much more than that on it. We have a, like I said, a person here who’s been helping us in-house. And so, I might not be the best to answer that particular question.
– You wanna take that one Kels?
– Sure, I’ll just jump in a bit on assets, you know, I mean, I think generally speaking there’s two sort of main types of assets that they’re concerned with. You know, there’s hardware assets. These are all the terminals, all the routers, all the workstations, all the stuff that deals with CUI in some way. And then there’s, of course, software, which is, you know, also very much an asset, something you should have good tabs on and protect, but it’s a little less tangible. You can’t cut to it usually, you know, yeah, sometimes it’s on a particular workstation. But in general, those software assets also do a lot of the processing of that information, right? They’re the ones that are actually displaying it on your terminals, they’re the ones that are, you know, giving you a interface for your 3D solid model of whatever flavor you have. And so those software assets are ones that need to be controlled, because quite often they’re the gateway into actually getting or seeing, or using that information. So those are software assets.
– All right. And then the last two, implementing the controls, that’s gonna be the 110 controls of the NIST 800-171 standard. And then once I guess you feel like you can say yes to most of those, you’ll prepare for an assessment with a C3PAO. Is that kind of a basic-
– Yeah, that certified third party, you know, auditor, that’s where some of the delay has been. Just to frame that a little bit, you know, as late as middle of this year, there were precious few of those. So I think the government estimates there’s about 300,000 companies in the DIB, the defense industrial base. And if you’ve got 20 auditors, that’s gonna take a long time. So they’ve been trying to mint more of those certified assessors, and they’re doing a good job. It’s rolling forward. But I think that’s where a significant amount of the delay has been. And that’s gonna be exponential, right? Not only are they gonna burn through some of those companies already and get onto new companies, but also they’re making many, many more of those assessors, so.
– Right, and we thought we’d just share this very briefly for folks that are actually making product, you know, machining parts, fabricating things, delivering those, but not at the prime level. You guys are all in sort of the level two category. Level one, and I’m curious to get your thoughts, Tyler, you thought you’d originally go for level one, but then you decided level two. Wouldn’t the fact that you’re getting CUI mandate you have to be level two? And level one would be like someone that’s maybe, you know, an accounting firm or a janitor firm that serves, you know, a defense facility or something like that?
– Yeah, certainly. If what you have in your possession is considered CUI, then yes, you’ll need to be CMMC level two. For us, you know, a lot of this stuff that we make is used in commercial applications, commercial aerospace. It does sometimes also get installed in, you know, military applications as well. And so there was some, you know, internal discussion over like, well, you know, they’re talking about cybersecurity, does it really matter for the products that we’re making? ‘Cause we don’t, you know, that’s not always considered CUI.
– Right.
– There was a little bit of a discussion there, but then we just kind of decided, like, hey, you know what? We feel like this is actually an opportunity for our company. It could open the doors to get more work. So that was kind of our reasoning for going CMMC level two. And you know, as I mentioned earlier, we did get an order for, you know, some of those parts that we sell to for commercial applications, and the DFARS 7012 was on there. Whether it should be on there, I don’t know. And I don’t know if like the buyer knows that too or if they can make that decision.
– Right.
– But if we’re already there.
– Sure.
– Then, you know, we’re already meeting the requirements for that.
– And I will mention talking to a very large machine shop in the last few weeks, you know, more than $100 million company. And so they are in direct talks with companies like Boeing and Airbus, and Bombardier, and it’s their assessment that those companies are, even though they’re not in the defense space for those commercial programs, very much moving as well into this cybersecurity realm. So even though it may not be government mandated, it’s very possible that the commercial aerospace industry will start adopting these, ’cause they also don’t want their data to be breached and hacked, so.
– It’s a really good point, Paul. I actually know of one client who got a flow down requirement from their non-government contract. But it stated that they needed to be 800-171 compliant. Right?
– Right.
– And they were like, you know, we could try and assess you individually on your security posture, but that doesn’t make sense to us. NIST did all the work.
– Right.
– Why don’t we go ahead and just tell you you have to be 800-171.
– Yeah.
– So.
– Yeah, so Tyler, thanks for bringing that up. I think it’s a really important strategic decision the shop should be thinking about.
– Yeah, and just Paul on that FCI, just to be clear that that’s federal contract information. So that’s that level one sort of area, FCI, and everything under the sun is under there. Like, apparently, they include death certificates as FCI. It’s federal information. So you know, that theoretically is controlled by level one.
– Interesting.
– So depending on what you get, you might.
– Yeah. So here’s a bunch of other things you might wanna be thinking about or considering. And I know, Tyler, that you had mentioned you chose some company that you thought was gonna be a great fit. It turns out they weren’t quite up to this level you needed, so you went with a different firm. Can you just share a little bit about what people might be wanting to be looking at or cautious of with an MSP?
– Yeah, yeah. So the MSP that we had before we realized that we’re going to have to switch, they kind of more were just the general MSP that serviced, you know, customers I guess in any industry. And it was pretty apparent that, like, they were not gonna be ready for CMMC, ’cause they were kind of treating it like other, you know, cybersecurity regulations out there that don’t have any teeth to it. Like, you know, CMMC has teeth to it, ’cause you’re gonna get certified. And then, so we started looking around. We found a company, we actually found a couple of companies and we went with one option. I won’t say their name, but they were cheaper than the other alternative. The other alternative was very costly. And, you know, it seemed good, it seemed okay, but there were a bunch of red flags that I didn’t see, because it was like my first rodeo I guess. But, you know, it became clear that they weren’t going to be a partner in this process. They were really designed for scale. And I’m not saying that there aren’t, you know, companies out there that can maybe make this work at scale, but I think with something like CMMC and the need to closely collaborate with, you know, a subject matter expert or your IT department, like, this is not something that can just be done for you completely. Like, you have to be a part of the process. So if you’re looking for an MSP, my recommendation would be make sure they’re not oversimplifying compliance. Make sure that they are engaged within the broader CMMC community and they’re not just, you know, overpromising what they can’t deliver.
– Sure.
– Make sure that there’s evidence, you know, that they are continuously investing in meeting these requirements much like, you know, ProShop developing features to support compliance. There should be proof that they’re doing the right things. Another is, you know, if they’re withholding evidence that you need to do your due diligence process, I’d say that’s a red flag. And yeah, make sure they’re not outsourcing anything either. Those would be my recommendations.
– Solid, thank you very much for that. Nick, anything on this list you particularly wanna double click on? You’re muted still. There you go.
– Okay, it has like a little bit of delay there. I really liked everything Tyler just said. Our plan’s a little different. We have a part-time staff who’s kind of acting as our chief information officer and tackling a lot of this on our behalf at our facility. And so our plan is to then get in contact with somebody, like an MSP before we actually go to get certified. We’re trying to take on as much as we can internally, because like Kelsey said, a lot of it’s just like good security practices. And a lot of it is achievable if you look at it, you know, just the list is, it’s 110 items, right? And so it’s really overwhelming, but it certainly is possible to kind of approach it slowly and methodically and actually take care of some of these things. But for us, that’s how we’re tackling it. And we found that, you know, there’s a lot of companies out there that are doing a lot to help you check some of those boxes. Like ProShop, there’s a couple others that I could add, but like ProShop, for example, just doing a couple of these things the way we’re supposed to, helps us check some of these boxes. And so we’re been kind of taking that approach of start small and obtainable, and like it says here, responsibility matrix. I don’t if you haven’t seen that from some of these people, that’s a literal list of things that we’re tackling for you that if you can add into your security plan, you should be compliant, if you’re doing it the way you should. Like, an example would be working directly out of the K-drive. That’s like a one possible example. And yeah, so I’m starting to feel like I’m rambling a little bit.
– No, I appreciate that. Those are good points.
– And I was gonna say that that shared responsibility matrix and you know, the ways in which other platforms, not just, you know, someone who’s consulting with you for cybersecurity, ’cause often they don’t have influence directly on the tools you’re using. You know, you’re using all kinds of different hardware and software elements. And so getting that shared responsibility matrix from your vendors where they can help you, you know, this is software vendors, this is hardware vendors. You know, there’s sometimes really simple stuff, like, certain types of hardware is just not compliant. So don’t buy that stuff. No upfront, right? But that’s the case. So anyway, yeah, I would say for sure on that. And then I would just wanna double click, Paul, on that build mature security slash business processes. I know I’m kind of harping on this, but there’s tons of good simple stuff you can do as business processes that increase your security posture dramatically and tick some boxes on the CMMC controls, right?
– Yeah.
– To your point, Nick.
– Awesome, well, we are getting way behind schedule. We’re gonna have to pick up the pace a little bit here. So let’s just very quickly, so SPRS or SPRS score, this is basically how you’re doing on those 110 controls. I know, Tyler, you’re all over this. You wanna just share a little bit about what this means for people?
– Yeah, if you do have DFARS 7012 on your contracts, then you will have to have your SPRS score submitted. SPRS, I forget what it actually stands for, but I know it’s a system within PIEE, and I’d also forget what that stands for. But you’ll have to have that score submitted in order to be compliant. And if you’re doing any work direct with, like, the government, like, you know, on, like, sam.gov in order to obtain technical information that’s classified as CUI, you will need that score submitted.
– Awesome, and I just shared a couple of links, so grab those links in the chat. Hence SPRS, I believe, is the supplier performance risk system, but I also have no idea what PIEE means. But anyway, good stuff there. Let’s move along. So identifying CUI and scope and boundaries. That’s a really big part of this. Kelsey, do you wanna take this one?
– Sure, yeah, I’ll just talk real briefly about this. I’m not gonna spend too much time on it, even though it is probably one of the single biggest things you can do to minimize the burden. You know, if you decide that you’re gonna, you know, appropriately scope, and what I mean by that is, you know, define where the CUI is gonna come in, flow through your company and then reside in terms of long-term storage and, you know, later use, that will really determine those assets we were talking about. So, you know, whether certain terminals, certain routers, certain software platforms are actually interacting, right? Are processing, transmitting or storing as they list right there. And so setting up those flows. And one of the things that I think is super important about it is identification. So we’ll talk a little bit more about that later. But you need to be able to have a system that immediately identifies and then tags CUI, so that you can treat it properly. It’s nearly impossible to expect your entire company to treat it properly if you haven’t identified it as that kind of information. So we’ll talk about that a little bit more later, but that flow and being able to scope correctly will help you on your assessment dramatically.
– Okay, great. Should we touch just on the three main basic dimensions, storing, transmitting and processing? Tyler?
– Yeah, I know we’ve talked about it real briefly, but you know, storing is pretty basic, which is like, wherever it’s actually sitting, you know, in some kind of, you know, state, like a hard drive or you know, a backup drive, or a cloud storage provider. ‘Cause clouds are actually-
– Or a filing cabinet even?
– Yeah. Just on the printer, just sitting there, you know, at the machine, on paper, absolutely, all those things, right? If you sent it as part of a package to your platting supplier, ’cause you need to tell them where to rack the part appropriately, but you’re sending them the drawing of the part. That’s CUI, you’re transmitting it to them, maybe in the box or maybe, you know, in your email or wherever it is. So yeah, for sure those three things.
– Okay, and once you define those boundaries, I guess part of making sure you’re compliant is that you’re not letting that CUI leak past the boundaries that you’ve set for your own company, and every company will have slightly different boundaries based on their network and their people and how they’re choosing to meet their compliance requirements. Is that a fair way to say it?
– I think it’s a good, you know, a good way to describe it. And I think that an example of this is you may have certain aspects of your even local company infrastructure that don’t have any way to access this kind of information. The simplest example is your guest Wi-Fi. Like, everybody should have a guest Wi-Fi. Don’t have just one Wi-Fi for everybody who shows up. And that way anyone who’s on the guest Wi-Fi is what they call logically separated, right, from that. So there is no path from your guest Wi-Fi into your CUI data. So yeah, absolutely creating those boundaries and knowing physically and digitally where they are. Usually, it’s the front door, is the physical part, right? Like, that’s pretty common.
– So.
– Yeah. Yeah.
– And there’s still lots to work out there. Like, what if you send stuff in UPS, like, you’re sending CUI with UPS, how’s that gonna work? There’s a lot of question marks still.
– Just a random note. Well, I was gonna say I really liked the guest network example, ’cause that’s one of the ones that it didn’t occur to us, so we started working on this, that it’s wise to maybe have a separate router outside of the firewall for your guest network. And so that’s why I really like your point that some of this is just good practice that you should probably do regardless. So just gonna.
– Thanks, fantastic. All right, and then we could go on that topic for a long, long time. I was gonna switch directions here and just talk a little bit about how we are trying to help our clients meet this. And we’ll start by saying that ProShop is just one puzzle piece in a much bigger effort. You know, we’re not claiming to do it all. We’re not claiming to be some kind of miracle cure, but we are definitely working very hard to make this less costly, less onerous, and a little bit simpler for our customers. So I’ll share a few screenshots here, but we’re basically talking about some basic, just security settings that we’ve built into ProShop. We’ll talk for a minute about ProShop SAFE, which stands for secure access file ecosystem. That was Kelsey’s brilliant naming. I was leaning to more to Vault, but SAFE is definitely the best name. And then we, for sure, are, you know, gonna be getting on the path for FedRAMP moderate equivalence or certification, I guess, it will be. And we, for sure, share our shared responsibility matrix with clients that shows, you know, what they’re responsible for, what ProShop can cover and what AWS in the GovCloud, you know, says that they got covered. So you don’t need to and we don’t need to worry about those things. So let’s jump first into security settings. So if there are any ProShop customers on this webinar, and I can’t see the list, but make sure you go into your security settings and turn some of these things on. And they are basic things like, you know, what we call our password validation rules. And we have programmed in specific, you know, CMMC compliant password rules as opposed to, you know, having a three, you know, a three character password that is super easy to hack. Things like, you know, disabling inactive sessions or how often you need to reset your password, or things of that nature. So if your software doesn’t have these kind of settings, you definitely should be asking them about that. Anything on this Kelsey you wanna mention?
– No, that’s great Paul.
– Okay.
– I mean, there’s lots more. But we should-
– Yeah. We’re also right natively inside of ProShop managing one-time password devices. So we use UB keys, which are, I think, kind of the gold standard for FIPS compliance, which is another acronym, second factor authentications. So we can cover that requirement, which I believe is that one of them specific NIST requirements?
– Gotta have two-factor. Yep.
– Yep, yeah.
– And for sure just on those hard keys. Yeah, thanks, Nick. He’s holding it up. That’s perfect. These keys are very inexpensive and very secure way to manage this. And you know, I think there’s a lot of broad acceptance that these kinds of OTP devices are affordable and extremely robust ways to do two-factor authentication.
– And people have asked us about, you know, apps, you know, that can be used for a second factor. We’re still trying to understand that, because I think a lot of shops are, and I know Nick, you guys are going to no cell phones on the shop floor, so you couldn’t really use an app as your second factor, so.
– Yeah, and the reason they’re doing that is, I don’t know about you, Nick, but a lot of people are doing that is because they don’t wanna manage, you know, 20 people’s cell phones.
– So I had actually asked that question before we switched to UB keys and it was because I am just so comfortable with the authenticator apps, like, I have so many things set up on, so I felt, like, is that an option? And I was trying to set it up kind of hastily. And so I had authenticator readily available to try out and so that’s why I was asking. But I found UB key just to be so easy to set up on ProShop that it was… If I had known it was as easy as it was, I probably wouldn’t have waited so long, ’cause they’re just like 30 bucks a pop and you just buy a bag of ’em.
– Nice.
– So this is some information that is relatively new to ProShop. We’re calling it, this is ProShop SAFE. And we have a couple of screenshots where these new attributes are in the user module. So individual employees can be added to what we call a file access security group and then also authorized for certain classification markings. And in the lower right here, we’re seeing an example of when you’re attaching a file into ProShop, it allows you to classify those files, tag them, you know, with CUI, with FCI or whatever these, you know, ITAR, whatever it might be. And clients will have full control over that list. They could use it for HIPAA if they’re in the medical device industry. But we believe that’s an important part of the marking requirements and then limiting access to who can see what. And then on this next screen, just an example of the configuration behind ProShop SAFE, where you can completely lock down the file storage that backs up the ProShop, you know, application, where you would be storing things like models and drawings and other types of things that would be CUI, and being able to very precisely limit who can access and do what folders and files. Do you wanna add anything to that, Kelsey? I know you’ve been deep into this.
– Yeah, I mean the other thing that I certainly think is valuable about information aggregation, which is like, if you’re looking for information about a part number, it’s tough if you gotta go look in five different places for the information to understand what’s up with that part number. So the idea of, like, siloing CUI in one spot, but all the non CUI information in some other area that you would then have to reference maybe two or three different places, that gets kind of tough from just a transactional daily work basis. So if instead you can employ a technique like this where you’re classifying that information as CUI and therefore protecting it right in the same directory, right in the context so that folks who are allowed to see it can see it and folks who are not are not, but also it’s readily available to the right people at the right time. That seems like the good combination in this case. And that’s really what we tried to go for here with ProShop SAFE and those classifications.
– Awesome, and I do wanna point out, and I’m still learning and exploring this whole notion, but we’ve definitely had clients that have shared that they have eliminated their local servers. They even are eliminating their domains and work groups. They just have basically a collection of computers, you know, ProShop terminals in their shop that are directly connected to the GovCloud, you know, through ProShop SAFE and their second factor authentication. And they’re really trying to go for, like, pretty much a zero digital CUI on-premise model where it could be that their entire local company’s network is not within the CUI boundary. You know, I’m not saying that’s possible. I’m just saying that’s what I’ve heard some are trying to achieve, and it’s possible that that is maybe-
– From a storage perspective, that is absolutely something I think that could happen. From a processing perspective, every terminal’s gotta process it.
– Of course.
– So you know, the terminal is in scope.
– Yeah.
– Yeah, for sure.
– Yeah, great distinction. And then last couple more here. Actually, this is the very latest hot sort of beta, this is actually a beta test screenshot that I was given permission to share. This is where you can even take anything in your ProShop cloud storage drive and very quickly add or remove, or replace classification markings across, you know, hundreds or thousands or tens of thousands of files all at once. So it’ll be a key part of that classification system. So looking forward to having clients get to play with this. And then this, Kelsey, I’d love to have you just share very briefly on this one.
– I’ll just spend a couple of minutes on this. This is specifically targeted at companies that, you know, don’t have a big budget to, you know, work through the entire process of CMMC and you know, the whole plan, and then executing on all of their POAM. And then, you know, keeping up to date with all of the things that they’ve made. So you make a list of assets and you’re like, oh good, I got an asset list. The question is, is that always being updated exactly as it should be? And typically when it’s a spreadsheet, you may not be keeping that as current as you wish you were. So this slide really just shows some of the ways that specific modules within ProShop are being leveraged by some clients to not only manage their compliance journey, but then also remain compliant and continue to update their processes and use a lot of the ProShop ecosystem to do that fairly effectively. So won’t spend a lot of time on it, but you know, being able to do things like, you know, the documents module for a system security plan or you know, the equipment module to keep track of those assets, those kinds of things are all ways which you could leverage ProShop. And that you’ll see a lot of that specificity in a shared responsibility matrix, will outline specifically how each module can support each control.
– And this just hearkens back to the really solid advice that security practices are really just good mature business practices. And these modules that are in orange here, these are modules that have been pushed up for, you know, more than a decade and they were built for our QMS compliance, but they happened to be just really solid to apply for these, you know, security-focused business processes. So as we were kind of mapping this out, we were kind of pleased to realize that you know what? There’s a lot of it that can be managed right in here without needing a ton of spreadsheets or other software. And for clients that wanna use that, it’s kind of there for them to scaffold that. And correct me if I’m wrong, Kels, we have a few clients sort of beta testing what we call our sort of security QMS assurance plan package if you will. We need a better term for it, but where they’re kind of, we’re helping them implement their CMMC journey using all these modules.
– Yeah, that’s correct, yep. We have, you know, several hundred documents and templates and queries and systems that are built right in to ProShop using these modules, and that we have some clients beta testing that right now.
– Okay, awesome. And as we were preparing for this and going through that responsibility matrix, we identified that of the 110 controls of the NIST standard, ProShop has built features and has functionality that directly manage or partially manage 55, which magically is exactly half of the 110 controls. So we’re feeling pretty strong that we are hopefully making an impact in our clients to make it less cumbersome, less expensive, and it’s like it is gonna be manageable for them to do that without just a crazy, crazy budget.
– Yeah, hopefully you don’t need to spend that $150,000.
– A lot of, yeah.
– On that journey, yeah.
– People are saying it will take-
– Way less.
– Selecting a C3PAO, besides having a friendly robot at your side. Maybe Tyler, do you wanna share a little bit about what you would might recommend for this?
– This is actually not something I’ve really looked into yet.
– Okay.
– So I can hand it off to Kelsey, but I would say getting your, you know, if you’re just starting out on your journey, finding your subject matter expert who’s gonna help you is gonna be a very important first step. And then I would say the C3PAO could be the focus after that.
– Yeah, this would be once you feel like you have all your SPRS scores’ like 110 or whatever the total, like, you feel like you’re actually ready to go get audited. Is this about the right time, Kelsey? Maybe you would think you could choose one?
– Yeah, I mean, I think that because it’s actually, you know, sort of conflict of interest for the very people who helped you get there to also be a third party. You know, that’s kind of the definition of third party. They weren’t involved in in your whole journey. This is later in the game. That being said, I know they’re in extremely high demand right now. So, you know, you may, if you’re looking to expedite your timeline a little bit, you know, try and get on someone’s calendar and advance if when you’re actually ready. ‘Cause if you wait till you’re all done and dusted, you could be a long wait for that. Now I think if you’re all done and good anyway and it isn’t yet on your requirements list to have the actual assessment, you may be in perfectly good shape to look for that C3PAO after the fact. And since they’re in high demand right now, it’ll become easier and easier, I think, to find these folks. There is a marketplace of Cyber AB, accredited third party, you know, certified third party auditors or assessors I should say. If you go on the cyberab.org site, they have a marketplace there of all folks who have passed that bar, because those are the people who are graduating these auditors.
– Great advice, probably just good thing to think about, just being, you know, we mentioned earlier, I know when CMMC really got traction, companies were just coming out of the woodwork, saying that they could help and they can help get you compliant, and you know, weeks or months and just, you gotta be really careful about people that are preying on companies that aren’t really sure exactly what it’s gonna take. So just be really cautious out there.
– Yeah, can I just say, Paul, on that one, if you think of it conceptually more like some of the other requirements, like, becoming ISO certified or becoming AS certified and realize that you actually have a lot of the control in the situation. You’re building the processes, you are driving the behaviors in your organization. This isn’t a nebulous tech thing. There are actually very few controls that are kind of this, like, weird tech magic. Most of the controls are all things that are very much your business and how you plan to do it. And I think if you come at it from that perspective, you’ll have a lot more, not only confidence, but success in finding the right fit for your organization to help you and to get audited. You are very much in control.
– Awesome. Yeah, yeah, awesome. And I noticed in the chat, Scott and Tim are chatting about VLANs. I presume that’s a virtual LAN, and Tim, thanks for mentioning ProShop on-premise. We haven’t mentioned that. We certainly do have a handful of clients that do ProShop completely on-premise, even behind a full air gap, where their network is not connected to the outside world at all. So that is something we can support as well, so. So marketing, you know, I think Tyler, you, you know, sort of set the right tone earlier. This can be very much a strategic move that companies can make to be on the, you know, maybe not on the leading edge if they’re not started yet, but put you really proactive to get this. It will be something I think even companies outside of the defense space will appreciate about a vendor, feel confident that their data will stay safe there. Couple of other points, don’t say you’re certified, if you’re not. You really gotta use the right terminology, talking about your SPRS score and just how many of the controls you meet. And if you were prepping for these, you guys were debating that whether you do or do not publicly share your SPRS score. Do you wanna just touch on that real briefly?
– I don’t know about publicly, but we’ve been asked for it by two customers now, asked for it. And I guess if I could answer that quick question about how often you should be doing it. What we were trying to do is, do it, like, as often as your POAMs. So like, as you’re making updates to your score, they should be reflected in SPRS. And I think that’s really good, ’cause it shows your progress in SPRS. You don’t just have one number of a score, you have your record going from 5 to 10 to wherever you end up.
– Yeah.
– And so I think it’s wise to be doing it as often as you’re making changes. And then I don’t know about sharing it publicly, but we’ve certainly shared it with customers as part of an audit-
– I think customers just wise.
– Yeah.
– Yeah, yeah.
– Especially if they’re asking.
– Yeah.
– So Kelsey’s been a champ at answering Q&A questions via text this whole time. And I think Tyler, you just covered Adam Zimmer’s question about changing SPRS scores. And we are running a little long, but I wanna just say thank you so much to everyone, to Nick and Tyler and Kelsey for all your expertise today, Nate and Modern Machine Shop for hosting us. Yeah, hopefully people got something valuable from this that helped them in their decisions and their journeys going forward.
– For sure, yeah. Thank you, Nick. Thank you, Paul. Thank you, Tyler. Thanks, Kelsey. And thank you to everyone for listening in, and thanks to ProShop for making this webinar possible. And just a disclaimer, you all should receive an email with a link to the recording to this within the next few hours. So thank you, everyone. I think that’s a good spot to end it. And I hope you all enjoy the rest of your day.
– Thank you all.
– Awesome.
– And happy holidays.
– Thanks, Nick.
– Happy holidays.
– Thank you.
– Yeah, appreciate it.