ProShop Holiday Special: A Year in Review
Back to the video library

Video Transcript

hello everyone I’m Nate Fields associate editor for modern machine shop and I’ll be your moderator for today’s webinar

navigating Defense work amidst the rapid cmmc rollout brought to you by proshop

um so in this webinar discover your best path forward in the world of Defense work compliance in this informative

session um secure your future in defense uh our presenters today will be uh Paul

Van Meter and Nick priest um Tyler kowalik

and uh let’s see Paul do you want to uh do the rest of the introductions I can certainly do the rest all right thank

you appreciate it hey everybody thanks for joining us today I realized as Nate

was was uh describing the title maybe the word rapid should not actually be in this because it has been anything but

rapid but it is picking up speed at this point so it is an important topic uh

especially for anyone that is at all in the defense industrial base supporting

the government and defense contractors um so if that’s you you’re in the right spot and I’m excited to uh introduce the

guests uh we’re going to start just real quick with our um actually maybe some

housekeeping so you know in this platform there’s the chat uh you can uh I think you can chat in there share I

always like to ask people where they’re joining from so we can see where in the country or world uh people are joining

us from so if you’re if you’re open to that go ahead and throw that in there uh and then there’s the formal Q&A section

so please if you do have questions at any point please uh throw those in the Q&A and we will definitely have time for

those at the end you’ll also see there’s a couple of handout links that uh Erics

thanks for kicking us off in Frederick Colorado um Leander Texas debuk Iowa

awesome thanks everybody love it love it love it there you go there we go um and

uh we’re going to start just by sharing our mission statement uh we always start with this we think it’s really important

because it truly drives what gets us excited every day we deliver powerful manufacturing software by deeply

understanding our clients challenges in order to meaningfully improve their businesses and Inter their communities

and uh for all of you that are working in machine shops or precision manufacturing you are the foundation of

our economy so thank you for what you do and let’s get into the agenda and I’m going to then introduced um our

panelists and guests here today so we’re going to be covering just kind of what’s the very latest uh there’s always

changes and delays uh with cmmc so we’re going to kind of touch base on that uh

talking about getting certified the process we’re going to talk a little bit about how Pro Shop is helping we’re

going to talk with Nick and um Tyler about their Journeys on their cmmc uh

compliance road map and then uh talk a little bit just about marketing it and sort of going forward what you should be

doing there so love to start next by introducing Nick priest um or the co-founders of priest Machining and

assembly so Nick welcome thank you for joining us do you want to tell us just a few words about uh about

Priest No thanks so much for having me and I I’m really grateful to be here and I I agree that rapid maybe’s not the

best word totally um but I get what you mean by it that it’s you know getting

more serious more quickly um but yeah so priest Machining assembly we’re located

here in Boulder Colorado um we a large percentage of our business is Aerospace

and defense and um so cmmc has been something that we’ve been getting told about by our customers for probably the

last three or four years um certainly before covid and then um we really started working on it over this last

year and um you know just kind of chipping away a little bit at a time um

and so um we’re primar primarily a Milling shop and uh yeah so we’re

started in 2018 and it’s about about all I could say yeah I got to visit uh

Nick’s shop a couple weeks ago beautiful shop so you and your brother started it and correct me if I’m wrong you mostly

had watched YouTube videos on Machining and you’re did was it the first machine you ever saw in person was when it was

being delivered to your shop pretty much yeah I was an engineering student and um

got into YouTube videos was watching NYC CNC and John grimsmo and um thought I’d

just get a machine just for myself just to play with and um was going to do engineering like was going to do larger

like more R&D projects for people and it spiraled into a machining company we

only do Machining at this point so awesome I love it accidental machine

shop owner yeah um know awesome uh and could I maybe have you go

on mute when you’re not talking I know you can hear you guys are making chips in the background which is a wonderful thing um and Tyler uh love to have you

introduce yourself yeah thanks Paul um thanks for uh inviting me to be a part of this

webinar uh so I I work for component products um we are an aerospace manufacturing company located in mleo uh

we’ve been around since uh 1967 it’s um it’s actually a third generation family

run business and um yeah we uh started our cmmc journey back in 2021

um and uh initially we were going for CMC level one but then uh we decided

that it would give us a perhaps a strategic advantage to uh pursue cmmc

level two so we’ve been on this journey for a while okay and uh thank you for

all the help in prepping uh I know uh people will come to understand you

definitely know your stuff around this so I appreciate that and Kelsey how about uh you introduce yourself yeah

thanks Paul hey everybody I’m uh Kelsey hiop I’m the CEO at Pro Shop um

co-founder with Paul um and I you know I haven’t been on a cmmc journey since uh

when probably we should have but I did actually follow it back in late 2017

when we were like huh this is this is coming into effect in in January of 2018

anyway it was it was a good a good wakeup moment I think for everybody um but I have had a lot of experience in

compliance um you know quality uh and implementing true security practices and so that was something that I felt uh was

important for the industry and I think that’s even maybe a main takeaway for today would be you know think about the

difference between cmmc compliance and and good security practices and you

might find that the Delta is not as high as you thought so good security practices and uh ransomware is

everywhere there is a lot of people who want your very important manufacturing

information not just to Ransom it back to you but for all kinds of other reasons so actual security totally aside

from certification you should yeah you should invest in that and this is part of that Journey yeah solid advice always

um and myself I’m Paul I am the chief Revenue officer and co-founder with Kelsey so he and I met in college and

built our machine shop Pro CNC for 17 years uh and eventually sold it and

started Pro Shop about six years ago so been having a fun time all right let’s

talk about let’s kind of level set here what we’re really talking about here today um there’s going to be a lot of

acronyms a lot of things depending on how far along your knowledge Journey some of this might be like drinking from

a fire hose for for others of you it’s uh you know you could probably run this thing yourself but um if you and we’ll

get into the terminology and just a couple more slides but uh basically if you are serving the defense industry as

a manufacturer and you are receiving uh what’s called QE or cui um controlled

unclassified information in the form of drawings and models and things that you’re going to be

manufacturing um uh back me up here guys they’re going to have to get MMC accreditation is that uh is that a fair

way to say it yeah I think that’s fair and and surprisingly we always want to put

something after cmmc even though the last word is [Laughter]

certification so it’s one of those yep uh and as we are prepping for this

and as you alluded to Kelsey um this is actually the the nist 800 171 which cmmc

is going to be the 2.0 version is pretty much largely based on has actually been

the letter of the law since January 2018 can you just elaborate on a little bit about that oh I mean it was one of those

moments where you know it’s like clearly there was a need for securing a bunch of

important information especially because our economy is built you know from so

many U building blocks from foundational machine shops uh that are you know small

but incredibly powerful and mighty in in this chain but often many levels down

and so securing information higher in the chain isn’t nearly as effective if you can’t secure it lower in the chain

so they realized this and it was part of you know a long journey to get to here I think some of the original work was

passed in the early 2010s um but this was the clear directive that manufacturers heads up you gotta you got

to meet this requirement um especially if you’re doing DOD work of course uh but that was largely just unpublished

like you were lucky if you even knew this even existed uh let alone you know what where you really need to be and I

think the the Genesis from my personal opinion of cmmc was that they said we got to actually enforce this if people

are going to take it seriously because after four years uh in 2021 there was a

near zero adoption like an insignificant amount of adoption on this on this mandate and so it was like okay let’s

make it like the other standards right let’s make it like an as requirement or make it like a ISO requirement and and

really have a to get certified uh and there’s been some bumps along the way for those of you who know in the

accreditation and in the Cyber AB but uh fundamentally it’s following in the footsteps of many other I think very

successful and probably very impactful for the actual reasons that they should be in place um and this is what I wanted

to say again which is doing these controls once you read them and you understand what they are they’re all

good security practices a few of them are a little more onerous than you want you’re like really I got to aggregate my

logs for you know analysis it’s like but most of them are like just yeah just do

that thing it’s great you can lift your sprs score just by realizing you want to be safe so that’s a little bit a little

bit of the history and also a plug for do a bunch of this even if you’re not headed for

cmmc yeah and uh Tyler or or Nick um Tyler you were mentioning about the DARS

and having this starting to show up on some of your contracts and your customers can you just share a little

bit about uh your your thoughts on this um yeah I know that our customers

have been asking uh for a while now for us to prepare for cmmc it’s kind of been

um you know a little bit of a buzzword um but uh you know we it it still seems

like there’s some some confusion um when it comes to uh how this is going to

impact procurement practices um it seems like the tendency right now is that that

uh tier ones and government buyers are going to overprescribe uh this rule um case in

point I you know our company got a pretty simple part um just the other day

we were reading the contract they put d712 on there um so it’s you know it’s

it’s coming um it’s it’s going to be pretty far-reaching I think and uh from

what I’ve heard from you know major primes and tier ones they’re starting to cut off uh suppliers that that aren’t in

estate 171 compliant I have heard that from a few

clients of ours so um yeah and didn’t you say that was like for some kind of washer something super simple not really

actually it was a spacer a spacer yeah yeah so yeah good case in point about uh

maybe overprescribing or just really being the letter of the law um because if it goes into a defense you know

vehicle or some it it’s it’s it’s part of the it’s it’s going to be controlled

so all right uh and for anyone that’s been following

this for the last many years you know there’s been lots of delays lots of changes revisions from 1.0 to 2.0 um so

uh I would love to let one of the three of you kind of take this one um because you’re a little bit more in the in the

loop than I am but uh there’s been a proposed rule that’s do any day now is

that right yeah yep the the the the the the

rules which is like a defined term in this case uh are are coming out hopefully I mean there’s there’s a whole

bunch of um compliance nerds who are all like sitting waiting for this to be

published um but the but the rules are imminent um there’s a lot of folks who are joking it’s you know a Christmas

present um I don’t think for most of us that this is the Christmas present we’re hoping for but certainly in the

compliance space it’s pretty important um and then of course you know just moving a little further along um there

has already been a lot of motion into a third revision of the 800 171 standard

and um you know I I am I’m not an expert in the Delta between those two but uh my

understanding from some of the folks I talked to is that it’s it’s enough of a change that this is not like oh yeah you

know uh we put a few uh T’s dotted dotted a few eyes crossed a few T’s we

should be good there’s material changes and like most compliance for any type of

certification this will be an ongoing thing um but hopefully it’s like the other ones which is they’re actually

doing the hard work of figuring out how to make it both easier and safer at the same time um that’s our that’s our

wishful thinking and Tyler you were um when we were prepping for this you mentioned uh

that this is a proposed rule change for cmmc can you define kind of what you what what that means means what does

proposed mean yeah um proposed means it’s not going to be um uh effective

like it won’t go into contracts until after a certain time period has transpired so it’s going to be um a year

after the rule is published is probably when it will become effective if it was an interim rule then it would be

eligible to be included in contracts um but from what I’ve heard people think that it’s too big of a rule for it to to

be interim like they’re going to need to solicit feedback from the DI and um maybe make some some changes if they can

but i’ I’ve also heard that changes at this stage of the game are pretty rare so it’s coming it’s um as soon as it’s

published you know that that time timeline uh where companies can get prepared is just getting uh

shorter so so if the proposed rule is truly coming out any day um does that

mean you think it’ll be in effect sort of letter of the law about a year from

now next you know December of 2024 um that’s what I’ve heard you know

that’s what people seem to think okay yeah and also just to make sure everyone’s clear about this so uh you

know cmmc is not the same as nist 800 171 but at this point the version 2.0 is

almost verbatim you know pointing to the 800 171 so that rev 3 of the the N

standard will directly affect the requirements of cmmc did I get that right

guys I think everybody thinks so yeah all right very good um yeah and the key

takeaway just because it’s been delayed yes that’s true but this is coming um

don’t bet on it going away I definitely have heard people say ah it’s never gonna happen and uh I I think they may

be sorely disappointed when uh it actually is in place and they will no longer be able to bid on or do the do

the jobs and contracts they have done in the past past and one more little pitch for do

the stuff you know is impr improving your security posture because that’s always good like if you’re not starting

anywhere else start with the stuff that makes you more secure and less susceptible to intrusion and data

loss I advice yeah go ahead Nick well I was G say I feel like that was me a little bit kind of like it’s never gonna

happen because I I feel like we’ve been doing this and hearing about it for so many years and I didn’t start taking it

super seriously until um as part of the onboarding process we’re starting to get entire interviews

on this subject and and being really questioned about it and so that was probably about a year ago now and that’s

when we kind of were like okay it’s actually it’s actually happening uh but prior to that I I was on that boat of

yeah well we’ll see you know so yeah yeah well uh it’s you know it’s not

surprising that um you know people have have had that position because there’s been so many delays and so many changes

that uh it’s just been talked about for so long and and we were told by one of

our customers the first time we heard about it they were like you need to be ready for this probably within a year

and that was like 2018 and we haden’t heard about it from that customer since

so and you know I mean it’s really easy to let it slip um sure and until it’s

not until you start getting asked about it which is what happened to us um so

yeah and the exponential rise in cyber security crime over the last five years if you just look at that on a graph it

it’s not even remotely close to linear it’s so parabolic and that’s why this is

getting so much attention in my opinion is that this stuff is getting lost information is getting lost at just a

prodigious rate and that’s got to get tightened up yeah for sure and we’re going to

launch a poll uh we’re going just a one question poll we’ll do another one at the end as well just asking about uh about cui so please

go ahead and answer that while we talk about some of these terms and this is obviously a considerably smaller list

we’ve already you know mentioned a few others including the term dib which is defense industrial base but um just

maybe uh uh when you guys want to sort of go through this a little bit um just

briefly talk about these terms take that Kelsey or Tyler

yeah I’m I’m happy to have you do it Tyler if you if you want but but also yeah sure um I’ll take uh I’ll take a

couple of them I’ll I’ll let you handle fed ramp because I know you guys have have some familiarity with that um so

cmmc cyber security maturity model certification um that’s what we’re talking about today that is uh going to

be the assessment framework um that is going to allow companies to get certified uh that they’re meeting the

controls of n 800 171 um C3PO always makes me think of C3PO um of course

everybody right um but that is that stands for cmmc third party assessment

organization these are organizations uh that are going they’re going to be the organizations auditing you and they’re

the ones that get accredited or the ones that get certified um uh the other one and then I’ll I’ll

let K Kelsey take the rest as MSP managed services provider um that one’s

kind of near and dear I guess to to my heart because we’re a small company as I’m sure lots of other manufacturers are

and we don’t have in-house it expertise so um it’s a very important piece of the

puzzle is uh making sure that you find an an adequate um service

provider awesome thank you Kel take quickly yeah for sure just just real

quick you know organization organization seeking certification that’s just all of us as machine shops you know like hey we

got to get certified um and uh and you know assets are something that are

pretty easy to talk about um because they’re kind of everything that you know

everything that would have value to your organization is some level of asset but in terms of cyber security we’re really

talking about assets that you know have this interaction with your key information with your with your

information that should be controlled now in most cases there’s there’s tons

of information you should keep secure um but in terms of certification they care about ones that are identified and

classified as controlled right controlled and then fedramp real quick um that is actually a sort of outsized

uh standard and what I mean by that is that it’s significantly more onerous than a cmmc requirement and it usually

covers an entire organizational stream it’s actually specifically for products um and you can check it out uh fed ramp

and they have a whole Marketplace of all the products that have uh achieved in atto but the reason this is particularly

important is because of that defar Clause we talked about before and they have specific language in there about

fedramp moderate compliance uh and uh equivalence is actually the word they

chose to use there which has everybody talking about it but that’s important thank you guys all right let’s

talk about assuming that a shop understands that yep they have confirmed

they do they are getting cui they are serving the defense base um what uh what

are they need to do to even understand and start their Journey if they haven’t already um so I think as you alluded to

uh Tyler you know finding a subject matter expert to help you um is that so msps can be that are there other types

of uh organizations out there that could also be an expert to help

yeah so our journey actually started off with a consultant um and so you know a

consultant could be a subject matter expert um I I don’t have a lot of familiarity with this but I do think

that some people provide um like cyber security as like a service uh I don’t

know exactly what all that entails um I don’t think it means that they’re necessarily managing your it but but

maybe helping you with your compliance programs um and then uh yeah we uh and

MP though can um sort of function as a virtual ciso which is what our MSP does

um and ciso stands for Chief Information Security Officer that’s the person that’s essentially responsible for um

executing on vision and strategy for your cyber security processes and

maturity awesome okay and uh Nick I know you’ve been looking at your cui and your

categorization of assets do you want to share a little bit about number three with with

us oh sure I can try my best here the machines are possibly bar to just all kick on at the same time um it’s all

good man but we so our our journey is a little different than going with a u a service provider we have somebody in

house who’s been um we’ve been tapping this kind of slowly and so the first thing we did was um like like it says

just literally mapping the flow of cui as we’re receiving it and as it’s going out to the production floor and then

What’s happen to it after that um in terms of categorizing our assets I don’t know that I would be the person within

our organization to directly comment much more than that on it um I we have a

like I said a person here who’s been helping us uh in house and so we um I might not be the best to answer

that particular question you want to take that one kelse sure I’ll I’ll just jump in a bit on assets you know I mean

um I think generally speaking there’s two sort of main types of assets that they’re concerned with you know there’s

there’s Hardware assets these are all the terminals all the routers all the workstations all the stuff that um deals

with cui in some way um and then there’s of course software which is you know also very much an asset something you

should have good tabs on and protect um but it’s a little less tangible you can’t up to it usually um you know yeah

sometimes it’s on a particular workstation but in general those software assets also do a lot of the

processing um of of that information right they’re the ones that are actually displaying it on your terminals they’re

the ones that are you know giving you a interface for your 3D solid model of

whatever flavor you have and so those software assets are ones that need to be controlled because quite often they’re

the Gateway into actually getting or seeing or using that information so those are software assets all right and

then the last two implementing the controls that’s going to be the 110 controls of the nist 800 171 standard

and then once I guess you feel like you can say yes to most of those you’ll prepare for an assessment with a C3 Pao

is that that that’s certified third-party um you know auditor that

that that’s uh where some of the delay has been just to frame that a little bit um you know as late as middle of this

year there were precious few of those so I think the government estimates there’s about 300,000 companies in the dib the

defense industrial base um and if you’ve got 20 Auditors uh that’s going to take

a long time so they’ve been trying to Mint more of those certified uh

assessors and uh and they’re doing a good job it’s rolling forward but I think that’s where a significant amount

of the delay has been and that’s going to be exponential right not only are they going to burn through some of those um companies already and get on to new

companies but also they’re making many many more of those assessors so right

and we thought we’ just share this very briefly um for for folks that are

actually making product uh you know Machining Parts fabricating things

delivering those but not at the prime level you guys are all in sort of the level two category uh level one and I

I’m curious to get your thoughts Tyler you thought you originally go for level one but then you decided level two

wouldn’t the fact that you’re getting cui mandate you have to be level two and level one would be like someone that’s

maybe you know an accounting firm or a janitor firm that serves you know a defense facility or something like

that yeah uh certainly if if what you have in your possession is uh considered

kui then yes you you already need to be um you’ll need to be CMC level two uh

for us you know a lot of the stuff that that we make is used in commercial applications uh commercial Aerospace it

does um sometimes also um get installed in you know military applications as

well um and so there was some you know internal discussion over like well you

know they they’re talking about cyber security does it really matter for the products that we’re making because we don’t you know that’s not always

considered kooy um right and there was a little bit of a discussion there but then uh we just kind of decided like hey

you know what um we feel like this is actually an opportunity for our company

um it could open the door uh open the doors to get uh more work so that was

kind of uh our reasoning for going cmmc level two and you know as I mentioned

earlier we did get uh an order for you know some some of those parts that we uh

sell to for commercial applications and the d712 was on there um whether it

should be on there I don’t know uh and I don’t know if like the buyer knows that too or if they can make that decision um

but if we’re already there then sure we’re already meeting requirements and I

will mention uh talking to a very large machine shop uh in the last few weeks

you know more than a hundred million doll company and so they are in direct talks with companies like Boeing and

Airbus and bombarder and and it’s their assessment that those companies are even

though they’re not in the defense base for those commercial programs very much moving as well into this cyber security

realm so it may even though it may not be government mandated it’s it’s very possible that the commercial Aerospace

industry will start adopting these because they also don’t want their data to be breached and and and um hacked so

uh it’s a really good point Paul I actually know of one client who got a a flowdown requirement from their

non-government uh contract but it stated that they needed to be 800

171 client right and they were like you know we could try and assess you individually on your security posture

but that doesn’t make sense to us n did all the work right why don’t we go ahead

and just tell you you have to be 8171 yeah so yeah so Tyler thanks for bringing that up I think it’s a really

important strategic decision that shop should be thinking about yeah and just Paul on that on that FCI just to be

clear that’s Federal contract information um so so that’s that that’s that level one sort of area FCI um and

everything under the sun is under there like apparently um they include death certificates as FC

it’s it’s federal information so you know that theoretically is controlled by

level one so depending on what you get you might you might yeah so here’s h a

bunch of other things you might want to be thinking about um or considering and I know Tyler that you had mentioned um

you chose some company that that you thought was going to be a great fit it turns out they weren’t quite quite up to

this level you needed so you went with a different firm can you just share a little bit about what people might be wanting to be uh looking at or cautious

of with an MSP yeah yeah so um the MSP that we had before we realized that we

were going to uh have to switch um they kind of more were just the general MSP that serviced you know customers I guess

in any industry and um it it was pretty apparent that like they were not going

to be ready for CMC because they were kind of treating it like other um you know cyber security regulations out

there that don’t have any teeth uh to it um like you know cmmc has teeth to it

because you’re going to get certified um and then so we we started looking around

uh we found a company um we actually found a couple companies and we went with one uh option I won’t say their

name but um they they were cheaper than the other alternative the other

alternative was was very costly um and and you know everything it seemed good

it seemed okay but there were a bunch of red flags that um that I didn’t see

because it was like my my first rodeo I guess but um you know they were just

uh they it it became clear that they weren’t going to be a partner in this

process um they were really designed for scale and if um I’m I’m not saying that

there aren’t you know companies out there that can maybe make this work at scale but um the I think with something

like cmmc and and the need to closely collaborate with um you know a subject matter expert or your it Department like

this is not something that um can just be uh done for you completely like you

have to be a part of the process um so if you’re looking for an MSP my

recommendation would be make sure they’re not oversimplifying compliance um make sure that they are engaged

within the broader cmmc community and they’re not just um you know over promising what what they can’t deliver

um sure make sure that uh there’s evidence you know that they are continuously investing in um meeting

these requirements much like you know Pro Shop developing features to Support

Compliance there there should be proof that they’re doing the right things um

another is you know if they’re withholding uh evidence that you need to do your due

diligence process I’d say that’s that’s a red flag um and yeah make sure they’re

not Outsourcing any anything uh either those those would be my

recommendations solid thank you very much for that um Nick anything on this

list you particularly want to double click

on you’re muted still there you go okay it has like a

little bit of delay there um I I really liked everything Tyler just said our our plan’s a little different we have a a

part-time staff who’s kind of acting as our uh Chief Information officer and and tackling a lot of this on our behalf at

our facility um and so our plan is to then get in contact with somebody um

like an MSP before we actually go to get certified um we’re trying to take on as much as we can

internally um because like Kelsey said a lot of it’s just like good security PL practices and a lot of it is achievable

if you look at it um you know just the list is it’s 110 items right and so it’s

really overwhelming but it certainly is possible to kind of approach it slowly and methodically and actually take care

of some of these things um but for us that’s how we’re tackling it um and we

found that you know there’s a lot of companies out there that are doing a lot

to help you check check some of those boxes like Pro Shop there’s there’s a couple others that I um I could add but

um like Pro Shop for example just doing a couple of these things the way we’re supposed to helps us check some of these

boxes um and so we’re been kind of taking that approach of start small and

obtainable and like it says here responsibility Matrix I if you haven’t seen that from some of these people

that’s a literal list of things that work tackling for you that if you can add into your security plan you should

be compliant if you’re doing it the way you should like like an example would be working directly out of the K Drive we

don’t that that’s like a one possible example um and uh yeah so starting to

feel off I’m rambling a little bit no that’s I appreciate that those are good points and I was gonna say that that

shared responsibility Matrix um and you know um the the ways in which other

platforms forms uh not just you know someone who’s Consulting with you for cyber security because often they don’t

have influence directly on the tools you’re using you know you’re using all kinds of different hardware and software

uh elements um and so getting that shared responsibility Matrix from your vendors where they can help you you know

this is software vendors this is hardware vendors you know um there’s sometimes really simple stuff like

certain types of Hardware is just not compliant so don’t buy that stuff know upfront right that that’s the

case so anyway um yeah I I I would say for sure on that and and then I would

just want to double click Paul on that build mature security SL business processes I know I’m kind of harping on

this but there’s tons of good simple stuff you can do as business processes that increase your security posture

dramatically and tick some boxes on the cmmc controls right to your point Nick

awesome well we are getting way behind schedule we’re going to have to pick up the pace a little bit here so let’s just very very quickly so sprs or Spurs score

this is um this is basically how you’re doing on those 110 controls I know Tyler

you’re all over this you want to just share a little bit about what this means for people um yeah if you do have uh D 712

on your contracts then you will have to have your Spurs score um submitted um s

s sprs I forget what it actually stands for but I know it’s a system within p e and I’d also forget what that

stands for but um you’ll have to have that score submitted um in order to be

compliant and if you’re doing any work direct with like the government like you know on like um in order to

obtain uh technical information that’s classified as KU you will need that score

submitted awesome and I just shared a couple of links so grab those links in the chat um and sprs I belied is the

supplier performance risk system but I also have no idea what p means but anyway um good stuff there let’s move

along um so identifying cui and scope and boundaries that’s that’s a really

big part of this um Kelsey do you want to take this one sure yeah I’ll just

talk real briefly about this even though it uh I’m not going to spend too much time on it even though it is probably one of the single biggest things you can

do to minimize the burden um you know if you decide that uh that you’re going to

you know appropriate scope and what I mean by that is you know Define where the cui is going to come in flow through

your company and then reside uh in terms of long-term storage and you know uh

later use that will really determine those assets we were talking about um so

you know whether certain terminals certain routers certain uh software platforms are actually interacting right

are are processing transmitting or storing as they as they list right there

and so set setting up those flows um and one of the things that I think is super important about it is identification um

so we’ll talk a little bit more about that later but um you need to be able to have a system that immediately

identifies and then tags cui so that you can treat it properly uh it’s it’s

nearly impossible to expect your entire company to treat it properly if you haven’t identified it as that kind of

information so we’ll talk about that a little bit more later but that flow and uh being able to scope correctly will

help you on your assessment um dramatically okay great um should we

touch just on the the the three main basic Dimensions storing transmitting and processing Ty yeah I know we’ve

talked about it real briefly but you know storing is pretty basic which is like wherever it’s actually sitting you

know in some kind of uh you know State like a hard drive or you know a backup

drive or a cloud storage provider um because clouds or a filing cabinet even

just on the printer just sitting there you know at the machine on paper absolutely all those things right um if

you sent it as part of a package to your plating supplier because you need to tell them where to rack the part

appropriately but you’re sending them the drawing of the part that’s that’s UI

you’re you’re transmitting it to them uh maybe in the box or maybe you know in your email or wherever it is um so yeah

for sure those three things okay uh

and once you define those boundaries I guess part of making sure you’re compliant is that you’re not letting

that cui leak past the boundaries that you’ve set for your own company and every company will have slightly

different boundaries based on their their Network and their people and how they’re choosing to to meet the

compliance requirements that a fair way to say it I think it’s a good uh you

know a good way to describe it and I think that an example of this is you may have certain aspects of your um even

Local Company infrastructure that don’t have any way to access this kind of information the simplest example is your

guest Wi-Fi like everybody should have a guest Wi-Fi don’t have just one Wi-Fi for everybody who shows up and that way

anyone who’s on the guest Wi-Fi is what they call logically separated right from

that so so you can’t there is no path from your guest Wi-Fi into your cui data

so yeah absolutely creating those boundaries and knowing um physically and digitally where they are usually it’s

the front door is the physical part right like that’s pretty common so yeah

yeah and there’s still lots to work out there like what if you send stuff UPS like oh you’re sending cui with UPS

how’s that going to work there’s a lot of question marks St just a well I was gonna say I really

like the guest Network example because that that’s one of the ones that we didn’t occur to us till we started working on this that it’s wise to maybe

have a separate router outside of the firewall for your guest Network and so that that’s why I I really like your

point that some of this is just good practice that you should probably do regardless um

so thanks fantastic all right I know we could go on that topic for a long long time let’s

going to switch switch directions here and just talk a little bit about how we are trying to help our clients meet this

um and we’ll start by saying that prap is just one puzzle piece in a much

bigger effort you know we’re not claiming to do it all we’re not claiming to some kind of miracle cure but we are

definitely working very hard to make this uh less costly less honorous and a

little bit simpler for our customers so I’ll share a few screenshots here but we’re basically talking about some basic

just security settings that we’ve built into Pro Shop we’ll talk for a minute about Pro Shop Safe which stands for

secure access file ecosystem that was Kelsey’s brilliant naming um I was

leaning to more to Vault but safe is definitely the best name um and then uh

we uh for sure are you know on um going to be getting on the path for fed ramp moderate equivalence or certification I

guess it will be um and we for sure share our shared responsibility Matrix with clients that shows you know what

they are responsible for what proshop can cover and what uh AWS in the gov

Cloud you know says that they got covered so you don’t need to and we don’t need to worry about those things

um so let’s jump first into security settings so if there are any Pro Shop customers on this webinar and I can’t

see the list but uh make sure you go into your security settings and turn some of these things on um and there are

basic things like you know what we call our password validation rules like uh and we have programmed in specific you

know um cmmc compliant password rules uh as opposed to you know having a three

you know a three character password that that is super easy to hack um things like you know disabling uh uh inactive

sessions or when you need how often you need to reset your password or things of that nature um so if you’re software

doesn’t have these kind of settings you definitely should be asking them um about that anything on this Kelsey you want to

mention that that’s great Paul I mean there’s lots more but uh we’re also uh right natively

inside a pro shop managing um one-time password devices uh so we use UB Keys

which are uh I think kind of the gold standard for fips compliant which is another acronym um second Factor

authentications so uh so we can cover that requirement which I believe is one of the is that one of the specific Nest

requirements gotta have two Factor yep Y and and for sure just that on those hard keys yeah thanks Nick he’s holding it up

that’s perfect these keys are a very inexpensive and very secure way to manage this um and you know I think

there’s a lot of um broad acceptance that these kinds of OTP devices are um

affordable and extremely robust ways to do two- Factor authentication and people

have asked us about uh about um you know apps you know uh that can be used for a

second Factor um we’re still trying to understand that because I think a lot of shops are and I know Nick you guys are

going to No sell phones on the shop floor so you couldn’t really use an app as your second Factor um so yeah the

reason they’re doing that is I don’t know about you Nick but a lot of people are doing that is because they don’t want to manage you know 20 people’s cell

phones I so I had actually asked that question before we switched to U keys and it was U

because I I am just so uh comfortable with the authenticator apps like I have so many

um things set up on so I thought like is that an option and U and I was trying to set it up kind of uh hastily and um so I

had athenticator readily available to try out and so that’s why I was asking but I I found UB key just to be so easy

to set up on on Pro Shop that it was I I didn’t if I had known it was as easy as it was I probably wouldn’t have waited

so long because they are just like 30 bucks a pop and just buy a bag of them

and so so this is uh some information that is relatively new to Pro Shop we’re

calling it this is proshop safe um and we have a couple of screenshots where these new attributes are in the user

module so uh individual employees can be added to what we call a file access Security Group uh and then also

authorized for certain classification markings and in the lower right here we’re seeing an example of when you’re

attaching a file into proshop it allows you to classify uh uh those that those

files tag them you know with cui with FCI or whatever these you know itar

whatever it might be um and clients will have full control over that list they could use it for Hippa if they’re us if

they’re in the medical device industry um but uh we believe that’s an important

part of the the the marketing requirement and then limiting access to who can see what um and then on this

next screen just an example of uh the configuration behind proshop

safe where you can completely lock down uh the file storage that Pro that backs

up the Pro Shop you know application where you would be storing things like models and drawings and other typ of

things that would be cui uh and uh being able to very precisely limit who can

access and do what to what folders and files do you want to add anything to that Kelsey I know you’ve been deep into

this yeah I mean the other thing that um I certainly think is valuable about

information aggregation which is like if you’re looking for information about a part number it’s tough if you got to go

look in five different places for the information to understand what’s up with that part number so the idea of like

siloing cui in one spot but all the non cui information in some other area that

you would then have to reference maybe two or three different places that gets kind of tough uh from just a transactional daily work basis so if

instead you can employ a technique like this where you’re classifying that information is cui and therefore

protecting it right in the same directory right in the context so that folks who are allowed to see it can see

it and folks who are not are not but also um it’s readily available to the

right people at the right time that seems like the the the good combination in this case and that’s really what we tried to go for here with Pro Shop safe

and those classifications awesome and I do want to point out um and I’m still learning and

exploring this whole notion but we’ve definitely had clients that have shared that they are they have eliminated their

local servers they even are eliminating their domains and work groups they just have basically a collection of computers

you know Pro Shop terminals in their shop that are directly connected to the govcloud you know through this through

Pro Shop safe and and their second Factor authentication and they’re really trying to go for like pretty much a zero

digital cui on premise model where they’re just it may it could be that

their entire local company’s network is not within the SK COI boundary um it you

know I’m not saying that’s possible I’m just saying that’s that’s that’s what um I’ve heard some are trying to achieve

and it’s possible that that is maybe from a storage perspective that is absolutely something I think that that

could happen uh from a processing perspective every terminal’s got to process it so of course you know the

terminal is in scope yeah for sure yeah good great distinction and then last uh

couple more here this is actually this is I this is the very latest hot sort of

beta this is actually a beta test um screenshot that I was given permission

to share um this is where you can even take anything in your Pro Shop cloud

storage drive and and very quickly add or remove or replace um classification

markings uh across you know hundreds or thousands or tens of thousands of files all at once so um it’s uh it’ll be a key

part of that classification uh system so looking forward to having clients get to play

with this um and and then this Kelsey I’d

love to have you just share very briefly on this one couple minutes on this this is um this is specifically targeted at

companies that you know um don’t have a big budget uh to you know work through

the entire process of uh cmmc and you know the whole plan uh and then

executing on all of their poem and then you know keeping up to date with all the

things that they’ve made so you make a list of assets and you’re like oh good I got an asset list the question is is

that always being updated exactly as it should be and typically when it’s a spreadsheet um you may not be keeping

that as current as you wish you were uh so this uh this slide really just shows

some of the ways that specific modules within Pro Shop are being leveraged by some clients to uh not only manage their

compliance Journey um but then also remain uh compliant and and continue to update their their processes um and use

a lot of the proshop ecosystem to do that fairly effectively so won’t spend a

lot of time on it but you know being able to do things like you know the documents module for a system security

plan or you know the equipment module to keep track of those assets those kinds of things are all um ways which you

could leverage Pro Shop and that you’ll see a lot of that specificity in a shared responsibility Matrix we’ll

outline specifically how each module can support each control and this just hearkens back to

the the really solid advice that uh that security practices are really just good

mature business practices um and uh these modules that are in orange here

these are modules that have been pushop for you know more than a decade and they were built for our qms uh compliance but

they happen to be just really solid to to apply for these you know security focused business processes um so we were

kind of as we were kind of mapping this out we were kind of pleased to to realize that you know what there’s a lot of it that can be managed right in here

without needing a ton of spreadsheets or other software and uh for clients that want to want to use that

um it’s kind of there for them to to scaffold that and correct me if I’m wrong kelse we are uh we have a few

clients sort of beta testing what we call our sort of security flying start package if you will we need a better

term for it but uh where they’re kind of we’re helping them Implement their cmmc

Journey using all these modules that’s correct yep we we have you know um

several hundred documents and templates and queries and systems that are built

right in uh to Pro Shop using these modules that we have some clients beta testing uh that right now okay awesome

and as we were preparing for this and going through that responsibility Matrix um we identified that of the 110

controls of the N standard proshop has built features and has functionality that directly manage or partially manage

55 which magically is exactly half of 110 controls so um we’re feeling pretty

strong that we are hopefully making an impact in our clients to make it less less cumbersome less expensive um and

it’s like it is going to be manageable for them to do that um without just a crazy crazy budget um hopefully you

don’t need to spend that $1,000 a lot of on that Journey people are saying it will take way less um

selecting a C3 Pao uh besides having a friendly robot at your side maybe Tyler

do you want to share a little bit about what um you might recommend for

this um this is actually not something I’ve uh really looked into yet okay so I

can hand I can hand it off to Kelsey but I I would say um getting your you know

if you’re just starting out on your journey finding your subject matter expert um who’s who’s going to help you

is is um going to be very important first step and then um the I would say

the C3 Pao could be the focus after that yeah this would be once you feel like

you have all your Spurs score is like 110 or whatever the total like you feel like you’re actually ready to go get

audited is this about the right time Kelsey maybe you would think yeah I mean I think I think that because it’s

actually you know sort of conflict of interest for the very people who helped you get there to also be a third party

um you know that’s kind of the definition of third party they weren’t involved in in your whole journey um that that this is later in the game that

being said I know they’re in extremely high demand right now um so you know you may if you’re looking to expedite your

timeline a little bit um you know try and get on someone’s calendar uh in advance of when you’re actually ready

because if you wait till you’re all done and dusted um you could be along wait for that now I think if you’re all if

you’re all done and good anyway and it isn’t um yet on your requirements list to to have the actual assessment um you

may be in perfectly good shape to look for that C3 Pao after the fact and since they’re in high demand right now it’ll

become easier and easier I think to to find these folks there is a Marketplace

um of cyber AB accredited third parties

you know certified thirdparty Auditors um or assessors I should say um if you go on the Cyber ab. org site they have a

Marketplace there of all folks who have um pass that bar uh because those are

the people who are graduating these AIT aors great advice probably good just

good thing to think about just being you know we mentioned earlier I know when cmmc really got traction companies were

just coming out of the woodwork saying that they could help and they can help get you compliant and you know weeks or

months and just you got to be really careful about uh people that are praying on um companies that aren’t really sure

exactly what what it’s going to take so just be really cautious there yeah can I just say Paul on that one um if you

think of it conceptually more like some of the other requirements like becoming ISO certified or becoming as certified

and realize that you actually have a lot of the control in the situation you’re building the processes you are driving

the behaviors in your organization this isn’t a nebulous Tech thing there are actually very few controls that are kind

of this like weird Tech magic most of the controls are all things that are very much your business and how you plan

to do it and I think if you come at it from that perspective you’ll have a lot more not only confidence but success in

finding the right fit for your organization uh to help you and to get audited you are very much in control

yeah yeah awesome and I noticed in the chat Scott and Tim are chatting about

VLS I presume that’s a virtual land so um and Tim thanks for mentioning Pro

Shop on premise we haven’t mentioned that we certainly do have a a handful of clients that do pro shop completely on

premise even behind a full air gap where their network is not connected to the outside world at all um so that is

something we can support as well so um so marketing uh you know I think

Tyler you you know sort of set the right tone earlier this can be very much a strategic uh move that companies can

make um to be on the you know maybe not on the Leading Edge if they’re not

starting yet but be really proactive to get this um it will be something I think

uh even companies outside of the defense space will appreciate about a vendor um

feel confident that they their data will stay safe there um couple of other

points don’t say you’re certified if you’re not you really got to use the right terminology talking about your

Spurs score and just how many of the controls you you meet um and uh you and

if we were prepping for these you guys were debating that whether you do or do not publicly

share your spu score you want to just touch on that real briefly I don’t I don’t know about

publicly but we’ve been asked for it um by two customers now asked for it and I

guess if I could answer that quick question about how often you should be doing it our what we were trying to do

is um do it like as often as your poem so like as as you’re making updates to your score they should be reflected in

Spurs and I think that’s really good because it shows your progress in Spurs you don’t just have one number of a

score you have your record going from five to 10 to wherever you end up yeah

and so I think it’s wise to be doing it as often as you’re making changes and then I I don’t know about sharing it

publicly but we we’ve certainly shared it with customers as part of a I think customers wise yeah especially if

they’re asking yeah so Kelsey’s been a champ at answering chat qu or Q&A

questions via text this whole time um so I think Tyler you just covered Adam

Zimmer’s question about changing Spurs scores um and we are running a little long but uh I want to just say thank you

so much to everyone to Nick and Tyler and Kelsey for all your expertise today

Nate and and modern machine shop for hosting us um yeah hopefully uh people

got something valuable from this that helped them in their decisions and their Journeys going forward

for sure yeah thank you Nick thank you Paul thank you Tyler thanks Kelsey um and thank you to everyone for listening

in and thanks to Pro Shop for making this webinar possible um and just a disclaimer you all should receive an

email with a link to the recording to this within the next few hours um so thank you everyone I think that’s a good

spot to end it and I hope you all enjoy the rest of your day thank you all and Happy Holidays thanks

Nicky yeah appreciate it


Privacy Policy
Terms of Service
magnifiercrosschevron-downarrow-leftarrow-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram