hello everyone I’m Nate Fields associate editor for modern machine shop and I’ll be your moderator for today’s webinar
navigating Defense work amidst the rapid cmmc rollout brought to you by proshop
um so in this webinar discover your best path forward in the world of Defense work compliance in this informative
session um secure your future in defense uh our presenters today will be uh Paul
Van Meter and Nick priest um Tyler kowalik
and uh let’s see Paul do you want to uh do the rest of the introductions I can certainly do the rest all right thank
you appreciate it hey everybody thanks for joining us today I realized as Nate
was was uh describing the title maybe the word rapid should not actually be in this because it has been anything but
rapid but it is picking up speed at this point so it is an important topic uh
especially for anyone that is at all in the defense industrial base supporting
the government and defense contractors um so if that’s you you’re in the right spot and I’m excited to uh introduce the
guests uh we’re going to start just real quick with our um actually maybe some
housekeeping so you know in this platform there’s the chat uh you can uh I think you can chat in there share I
always like to ask people where they’re joining from so we can see where in the country or world uh people are joining
us from so if you’re if you’re open to that go ahead and throw that in there uh and then there’s the formal Q&A section
so please if you do have questions at any point please uh throw those in the Q&A and we will definitely have time for
those at the end you’ll also see there’s a couple of handout links that uh Erics
thanks for kicking us off in Frederick Colorado um Leander Texas debuk Iowa
awesome thanks everybody love it love it love it there you go there we go um and
uh we’re going to start just by sharing our mission statement uh we always start with this we think it’s really important
because it truly drives what gets us excited every day we deliver powerful manufacturing software by deeply
understanding our clients challenges in order to meaningfully improve their businesses and Inter their communities
and uh for all of you that are working in machine shops or precision manufacturing you are the foundation of
our economy so thank you for what you do and let’s get into the agenda and I’m going to then introduced um our
panelists and guests here today so we’re going to be covering just kind of what’s the very latest uh there’s always
changes and delays uh with cmmc so we’re going to kind of touch base on that uh
talking about getting certified the process we’re going to talk a little bit about how Pro Shop is helping we’re
going to talk with Nick and um Tyler about their Journeys on their cmmc uh
compliance road map and then uh talk a little bit just about marketing it and sort of going forward what you should be
doing there so love to start next by introducing Nick priest um or the co-founders of priest Machining and
assembly so Nick welcome thank you for joining us do you want to tell us just a few words about uh about
Priest No thanks so much for having me and I I’m really grateful to be here and I I agree that rapid maybe’s not the
best word totally um but I get what you mean by it that it’s you know getting
more serious more quickly um but yeah so priest Machining assembly we’re located
here in Boulder Colorado um we a large percentage of our business is Aerospace
and defense and um so cmmc has been something that we’ve been getting told about by our customers for probably the
last three or four years um certainly before covid and then um we really started working on it over this last
year and um you know just kind of chipping away a little bit at a time um
and so um we’re primar primarily a Milling shop and uh yeah so we’re
started in 2018 and it’s about about all I could say yeah I got to visit uh
Nick’s shop a couple weeks ago beautiful shop so you and your brother started it and correct me if I’m wrong you mostly
had watched YouTube videos on Machining and you’re did was it the first machine you ever saw in person was when it was
being delivered to your shop pretty much yeah I was an engineering student and um
got into YouTube videos was watching NYC CNC and John grimsmo and um thought I’d
just get a machine just for myself just to play with and um was going to do engineering like was going to do larger
like more R&D projects for people and it spiraled into a machining company we
only do Machining at this point so awesome I love it accidental machine
shop owner yeah um know awesome uh and could I maybe have you go
on mute when you’re not talking I know you can hear you guys are making chips in the background which is a wonderful thing um and Tyler uh love to have you
introduce yourself yeah thanks Paul um thanks for uh inviting me to be a part of this
webinar uh so I I work for component products um we are an aerospace manufacturing company located in mleo uh
we’ve been around since uh 1967 it’s um it’s actually a third generation family
run business and um yeah we uh started our cmmc journey back in 2021
um and uh initially we were going for CMC level one but then uh we decided
that it would give us a perhaps a strategic advantage to uh pursue cmmc
level two so we’ve been on this journey for a while okay and uh thank you for
all the help in prepping uh I know uh people will come to understand you
definitely know your stuff around this so I appreciate that and Kelsey how about uh you introduce yourself yeah
thanks Paul hey everybody I’m uh Kelsey hiop I’m the CEO at Pro Shop um
co-founder with Paul um and I you know I haven’t been on a cmmc journey since uh
when probably we should have but I did actually follow it back in late 2017
when we were like huh this is this is coming into effect in in January of 2018
anyway it was it was a good a good wakeup moment I think for everybody um but I have had a lot of experience in
compliance um you know quality uh and implementing true security practices and so that was something that I felt uh was
important for the industry and I think that’s even maybe a main takeaway for today would be you know think about the
difference between cmmc compliance and and good security practices and you
might find that the Delta is not as high as you thought so good security practices and uh ransomware is
everywhere there is a lot of people who want your very important manufacturing
information not just to Ransom it back to you but for all kinds of other reasons so actual security totally aside
from certification you should yeah you should invest in that and this is part of that Journey yeah solid advice always
um and myself I’m Paul I am the chief Revenue officer and co-founder with Kelsey so he and I met in college and
built our machine shop Pro CNC for 17 years uh and eventually sold it and
started Pro Shop about six years ago so been having a fun time all right let’s
talk about let’s kind of level set here what we’re really talking about here today um there’s going to be a lot of
acronyms a lot of things depending on how far along your knowledge Journey some of this might be like drinking from
a fire hose for for others of you it’s uh you know you could probably run this thing yourself but um if you and we’ll
get into the terminology and just a couple more slides but uh basically if you are serving the defense industry as
a manufacturer and you are receiving uh what’s called QE or cui um controlled
unclassified information in the form of drawings and models and things that you’re going to be
manufacturing um uh back me up here guys they’re going to have to get MMC accreditation is that uh is that a fair
way to say it yeah I think that’s fair and and surprisingly we always want to put
something after cmmc even though the last word is [Laughter]
certification so it’s one of those yep uh and as we are prepping for this
and as you alluded to Kelsey um this is actually the the nist 800 171 which cmmc
is going to be the 2.0 version is pretty much largely based on has actually been
the letter of the law since January 2018 can you just elaborate on a little bit about that oh I mean it was one of those
moments where you know it’s like clearly there was a need for securing a bunch of
important information especially because our economy is built you know from so
many U building blocks from foundational machine shops uh that are you know small
but incredibly powerful and mighty in in this chain but often many levels down
and so securing information higher in the chain isn’t nearly as effective if you can’t secure it lower in the chain
so they realized this and it was part of you know a long journey to get to here I think some of the original work was
passed in the early 2010s um but this was the clear directive that manufacturers heads up you gotta you got
to meet this requirement um especially if you’re doing DOD work of course uh but that was largely just unpublished
like you were lucky if you even knew this even existed uh let alone you know what where you really need to be and I
think the the Genesis from my personal opinion of cmmc was that they said we got to actually enforce this if people
are going to take it seriously because after four years uh in 2021 there was a
near zero adoption like an insignificant amount of adoption on this on this mandate and so it was like okay let’s
make it like the other standards right let’s make it like an as requirement or make it like a ISO requirement and and
really have a to get certified uh and there’s been some bumps along the way for those of you who know in the
accreditation and in the Cyber AB but uh fundamentally it’s following in the footsteps of many other I think very
successful and probably very impactful for the actual reasons that they should be in place um and this is what I wanted
to say again which is doing these controls once you read them and you understand what they are they’re all
good security practices a few of them are a little more onerous than you want you’re like really I got to aggregate my
logs for you know analysis it’s like but most of them are like just yeah just do
that thing it’s great you can lift your sprs score just by realizing you want to be safe so that’s a little bit a little
bit of the history and also a plug for do a bunch of this even if you’re not headed for
cmmc yeah and uh Tyler or or Nick um Tyler you were mentioning about the DARS
and having this starting to show up on some of your contracts and your customers can you just share a little
bit about uh your your thoughts on this um yeah I know that our customers
have been asking uh for a while now for us to prepare for cmmc it’s kind of been
um you know a little bit of a buzzword um but uh you know we it it still seems
like there’s some some confusion um when it comes to uh how this is going to
impact procurement practices um it seems like the tendency right now is that that
uh tier ones and government buyers are going to overprescribe uh this rule um case in
point I you know our company got a pretty simple part um just the other day
we were reading the contract they put d712 on there um so it’s you know it’s
it’s coming um it’s it’s going to be pretty far-reaching I think and uh from
what I’ve heard from you know major primes and tier ones they’re starting to cut off uh suppliers that that aren’t in
estate 171 compliant I have heard that from a few
clients of ours so um yeah and didn’t you say that was like for some kind of washer something super simple not really
actually it was a spacer a spacer yeah yeah so yeah good case in point about uh
maybe overprescribing or just really being the letter of the law um because if it goes into a defense you know
vehicle or some it it’s it’s it’s part of the it’s it’s going to be controlled
so all right uh and for anyone that’s been following
this for the last many years you know there’s been lots of delays lots of changes revisions from 1.0 to 2.0 um so
uh I would love to let one of the three of you kind of take this one um because you’re a little bit more in the in the
loop than I am but uh there’s been a proposed rule that’s do any day now is
that right yeah yep the the the the the the
rules which is like a defined term in this case uh are are coming out hopefully I mean there’s there’s a whole
bunch of um compliance nerds who are all like sitting waiting for this to be
published um but the but the rules are imminent um there’s a lot of folks who are joking it’s you know a Christmas
present um I don’t think for most of us that this is the Christmas present we’re hoping for but certainly in the
compliance space it’s pretty important um and then of course you know just moving a little further along um there
has already been a lot of motion into a third revision of the 800 171 standard
and um you know I I am I’m not an expert in the Delta between those two but uh my
understanding from some of the folks I talked to is that it’s it’s enough of a change that this is not like oh yeah you
know uh we put a few uh T’s dotted dotted a few eyes crossed a few T’s we
should be good there’s material changes and like most compliance for any type of
certification this will be an ongoing thing um but hopefully it’s like the other ones which is they’re actually
doing the hard work of figuring out how to make it both easier and safer at the same time um that’s our that’s our
wishful thinking and Tyler you were um when we were prepping for this you mentioned uh
that this is a proposed rule change for cmmc can you define kind of what you what what that means means what does
proposed mean yeah um proposed means it’s not going to be um uh effective
like it won’t go into contracts until after a certain time period has transpired so it’s going to be um a year
after the rule is published is probably when it will become effective if it was an interim rule then it would be
eligible to be included in contracts um but from what I’ve heard people think that it’s too big of a rule for it to to
be interim like they’re going to need to solicit feedback from the DI and um maybe make some some changes if they can
but i’ I’ve also heard that changes at this stage of the game are pretty rare so it’s coming it’s um as soon as it’s
published you know that that time timeline uh where companies can get prepared is just getting uh
shorter so so if the proposed rule is truly coming out any day um does that
mean you think it’ll be in effect sort of letter of the law about a year from
now next you know December of 2024 um that’s what I’ve heard you know
that’s what people seem to think okay yeah and also just to make sure everyone’s clear about this so uh you
know cmmc is not the same as nist 800 171 but at this point the version 2.0 is
almost verbatim you know pointing to the 800 171 so that rev 3 of the the N
standard will directly affect the requirements of cmmc did I get that right
guys I think everybody thinks so yeah all right very good um yeah and the key
takeaway just because it’s been delayed yes that’s true but this is coming um
don’t bet on it going away I definitely have heard people say ah it’s never gonna happen and uh I I think they may
be sorely disappointed when uh it actually is in place and they will no longer be able to bid on or do the do
the jobs and contracts they have done in the past past and one more little pitch for do
the stuff you know is impr improving your security posture because that’s always good like if you’re not starting
anywhere else start with the stuff that makes you more secure and less susceptible to intrusion and data
loss I advice yeah go ahead Nick well I was G say I feel like that was me a little bit kind of like it’s never gonna
happen because I I feel like we’ve been doing this and hearing about it for so many years and I didn’t start taking it
super seriously until um as part of the onboarding process we’re starting to get entire interviews
on this subject and and being really questioned about it and so that was probably about a year ago now and that’s
when we kind of were like okay it’s actually it’s actually happening uh but prior to that I I was on that boat of
yeah well we’ll see you know so yeah yeah well uh it’s you know it’s not
surprising that um you know people have have had that position because there’s been so many delays and so many changes
that uh it’s just been talked about for so long and and we were told by one of
our customers the first time we heard about it they were like you need to be ready for this probably within a year
and that was like 2018 and we haden’t heard about it from that customer since
so and you know I mean it’s really easy to let it slip um sure and until it’s
not until you start getting asked about it which is what happened to us um so
yeah and the exponential rise in cyber security crime over the last five years if you just look at that on a graph it
it’s not even remotely close to linear it’s so parabolic and that’s why this is
getting so much attention in my opinion is that this stuff is getting lost information is getting lost at just a
prodigious rate and that’s got to get tightened up yeah for sure and we’re going to
launch a poll uh we’re going just a one question poll we’ll do another one at the end as well just asking about uh about cui so please
go ahead and answer that while we talk about some of these terms and this is obviously a considerably smaller list
we’ve already you know mentioned a few others including the term dib which is defense industrial base but um just
maybe uh uh when you guys want to sort of go through this a little bit um just
briefly talk about these terms take that Kelsey or Tyler
yeah I’m I’m happy to have you do it Tyler if you if you want but but also yeah sure um I’ll take uh I’ll take a
couple of them I’ll I’ll let you handle fed ramp because I know you guys have have some familiarity with that um so
cmmc cyber security maturity model certification um that’s what we’re talking about today that is uh going to
be the assessment framework um that is going to allow companies to get certified uh that they’re meeting the
controls of n 800 171 um C3PO always makes me think of C3PO um of course
everybody right um but that is that stands for cmmc third party assessment
organization these are organizations uh that are going they’re going to be the organizations auditing you and they’re
the ones that get accredited or the ones that get certified um uh the other one and then I’ll I’ll
let K Kelsey take the rest as MSP managed services provider um that one’s
kind of near and dear I guess to to my heart because we’re a small company as I’m sure lots of other manufacturers are
and we don’t have in-house it expertise so um it’s a very important piece of the
puzzle is uh making sure that you find an an adequate um service
provider awesome thank you Kel take quickly yeah for sure just just real
quick you know organization organization seeking certification that’s just all of us as machine shops you know like hey we
got to get certified um and uh and you know assets are something that are
pretty easy to talk about um because they’re kind of everything that you know
everything that would have value to your organization is some level of asset but in terms of cyber security we’re really
talking about assets that you know have this interaction with your key information with your with your
information that should be controlled now in most cases there’s there’s tons
of information you should keep secure um but in terms of certification they care about ones that are identified and
classified as controlled right controlled and then fedramp real quick um that is actually a sort of outsized
uh standard and what I mean by that is that it’s significantly more onerous than a cmmc requirement and it usually
covers an entire organizational stream it’s actually specifically for products um and you can check it out uh fed ramp
and they have a whole Marketplace of all the products that have uh achieved in atto but the reason this is particularly
important is because of that defar Clause we talked about before and they have specific language in there about
fedramp moderate compliance uh and uh equivalence is actually the word they
chose to use there which has everybody talking about it but that’s important thank you guys all right let’s
talk about assuming that a shop understands that yep they have confirmed
they do they are getting cui they are serving the defense base um what uh what
are they need to do to even understand and start their Journey if they haven’t already um so I think as you alluded to
uh Tyler you know finding a subject matter expert to help you um is that so msps can be that are there other types
of uh organizations out there that could also be an expert to help
yeah so our journey actually started off with a consultant um and so you know a
consultant could be a subject matter expert um I I don’t have a lot of familiarity with this but I do think
that some people provide um like cyber security as like a service uh I don’t
know exactly what all that entails um I don’t think it means that they’re necessarily managing your it but but
maybe helping you with your compliance programs um and then uh yeah we uh and
MP though can um sort of function as a virtual ciso which is what our MSP does
um and ciso stands for Chief Information Security Officer that’s the person that’s essentially responsible for um
executing on vision and strategy for your cyber security processes and
maturity awesome okay and uh Nick I know you’ve been looking at your cui and your
categorization of assets do you want to share a little bit about number three with with
us oh sure I can try my best here the machines are possibly bar to just all kick on at the same time um it’s all
good man but we so our our journey is a little different than going with a u a service provider we have somebody in
house who’s been um we’ve been tapping this kind of slowly and so the first thing we did was um like like it says
just literally mapping the flow of cui as we’re receiving it and as it’s going out to the production floor and then
What’s happen to it after that um in terms of categorizing our assets I don’t know that I would be the person within
our organization to directly comment much more than that on it um I we have a
like I said a person here who’s been helping us uh in house and so we um I might not be the best to answer
that particular question you want to take that one kelse sure I’ll I’ll just jump in a bit on assets you know I mean
um I think generally speaking there’s two sort of main types of assets that they’re concerned with you know there’s
there’s Hardware assets these are all the terminals all the routers all the workstations all the stuff that um deals
with cui in some way um and then there’s of course software which is you know also very much an asset something you
should have good tabs on and protect um but it’s a little less tangible you can’t up to it usually um you know yeah
sometimes it’s on a particular workstation but in general those software assets also do a lot of the
processing um of of that information right they’re the ones that are actually displaying it on your terminals they’re
the ones that are you know giving you a interface for your 3D solid model of
whatever flavor you have and so those software assets are ones that need to be controlled because quite often they’re
the Gateway into actually getting or seeing or using that information so those are software assets all right and
then the last two implementing the controls that’s going to be the 110 controls of the nist 800 171 standard
and then once I guess you feel like you can say yes to most of those you’ll prepare for an assessment with a C3 Pao
is that that that’s certified third-party um you know auditor that
that that’s uh where some of the delay has been just to frame that a little bit um you know as late as middle of this
year there were precious few of those so I think the government estimates there’s about 300,000 companies in the dib the
defense industrial base um and if you’ve got 20 Auditors uh that’s going to take
a long time so they’ve been trying to Mint more of those certified uh
assessors and uh and they’re doing a good job it’s rolling forward but I think that’s where a significant amount
of the delay has been and that’s going to be exponential right not only are they going to burn through some of those um companies already and get on to new
companies but also they’re making many many more of those assessors so right
and we thought we’ just share this very briefly um for for folks that are
actually making product uh you know Machining Parts fabricating things
delivering those but not at the prime level you guys are all in sort of the level two category uh level one and I
I’m curious to get your thoughts Tyler you thought you originally go for level one but then you decided level two
wouldn’t the fact that you’re getting cui mandate you have to be level two and level one would be like someone that’s
maybe you know an accounting firm or a janitor firm that serves you know a defense facility or something like
that yeah uh certainly if if what you have in your possession is uh considered
kui then yes you you already need to be um you’ll need to be CMC level two uh
for us you know a lot of the stuff that that we make is used in commercial applications uh commercial Aerospace it
does um sometimes also um get installed in you know military applications as
well um and so there was some you know internal discussion over like well you
know they they’re talking about cyber security does it really matter for the products that we’re making because we don’t you know that’s not always
considered kooy um right and there was a little bit of a discussion there but then uh we just kind of decided like hey
you know what um we feel like this is actually an opportunity for our company
um it could open the door uh open the doors to get uh more work so that was
kind of uh our reasoning for going cmmc level two and you know as I mentioned
earlier we did get uh an order for you know some some of those parts that we uh
sell to for commercial applications and the d712 was on there um whether it
should be on there I don’t know uh and I don’t know if like the buyer knows that too or if they can make that decision um
but if we’re already there then sure we’re already meeting requirements and I
will mention uh talking to a very large machine shop uh in the last few weeks
you know more than a hundred million doll company and so they are in direct talks with companies like Boeing and
Airbus and bombarder and and it’s their assessment that those companies are even
though they’re not in the defense base for those commercial programs very much moving as well into this cyber security
realm so it may even though it may not be government mandated it’s it’s very possible that the commercial Aerospace
industry will start adopting these because they also don’t want their data to be breached and and and um hacked so
uh it’s a really good point Paul I actually know of one client who got a a flowdown requirement from their
non-government uh contract but it stated that they needed to be 800
171 client right and they were like you know we could try and assess you individually on your security posture
but that doesn’t make sense to us n did all the work right why don’t we go ahead
and just tell you you have to be 8171 yeah so yeah so Tyler thanks for bringing that up I think it’s a really
important strategic decision that shop should be thinking about yeah and just Paul on that on that FCI just to be
clear that’s Federal contract information um so so that’s that that’s that level one sort of area FCI um and
everything under the sun is under there like apparently um they include death certificates as FC
it’s it’s federal information so you know that theoretically is controlled by
level one so depending on what you get you might you might yeah so here’s h a
bunch of other things you might want to be thinking about um or considering and I know Tyler that you had mentioned um
you chose some company that that you thought was going to be a great fit it turns out they weren’t quite quite up to
this level you needed so you went with a different firm can you just share a little bit about what people might be wanting to be uh looking at or cautious
of with an MSP yeah yeah so um the MSP that we had before we realized that we
were going to uh have to switch um they kind of more were just the general MSP that serviced you know customers I guess
in any industry and um it it was pretty apparent that like they were not going
to be ready for CMC because they were kind of treating it like other um you know cyber security regulations out
there that don’t have any teeth uh to it um like you know cmmc has teeth to it
because you’re going to get certified um and then so we we started looking around
uh we found a company um we actually found a couple companies and we went with one uh option I won’t say their
name but um they they were cheaper than the other alternative the other
alternative was was very costly um and and you know everything it seemed good
it seemed okay but there were a bunch of red flags that um that I didn’t see
because it was like my my first rodeo I guess but um you know they were just
uh they it it became clear that they weren’t going to be a partner in this
process um they were really designed for scale and if um I’m I’m not saying that
there aren’t you know companies out there that can maybe make this work at scale but um the I think with something
like cmmc and and the need to closely collaborate with um you know a subject matter expert or your it Department like
this is not something that um can just be uh done for you completely like you
have to be a part of the process um so if you’re looking for an MSP my
recommendation would be make sure they’re not oversimplifying compliance um make sure that they are engaged
within the broader cmmc community and they’re not just um you know over promising what what they can’t deliver
um sure make sure that uh there’s evidence you know that they are continuously investing in um meeting
these requirements much like you know Pro Shop developing features to Support
Compliance there there should be proof that they’re doing the right things um
another is you know if they’re withholding uh evidence that you need to do your due
diligence process I’d say that’s that’s a red flag um and yeah make sure they’re
not Outsourcing any anything uh either those those would be my
recommendations solid thank you very much for that um Nick anything on this
list you particularly want to double click
on you’re muted still there you go okay it has like a
little bit of delay there um I I really liked everything Tyler just said our our plan’s a little different we have a a
part-time staff who’s kind of acting as our uh Chief Information officer and and tackling a lot of this on our behalf at
our facility um and so our plan is to then get in contact with somebody um
like an MSP before we actually go to get certified um we’re trying to take on as much as we can
internally um because like Kelsey said a lot of it’s just like good security PL practices and a lot of it is achievable
if you look at it um you know just the list is it’s 110 items right and so it’s
really overwhelming but it certainly is possible to kind of approach it slowly and methodically and actually take care
of some of these things um but for us that’s how we’re tackling it um and we
found that you know there’s a lot of companies out there that are doing a lot
to help you check check some of those boxes like Pro Shop there’s there’s a couple others that I um I could add but
um like Pro Shop for example just doing a couple of these things the way we’re supposed to helps us check some of these
boxes um and so we’re been kind of taking that approach of start small and
obtainable and like it says here responsibility Matrix I if you haven’t seen that from some of these people
that’s a literal list of things that work tackling for you that if you can add into your security plan you should
be compliant if you’re doing it the way you should like like an example would be working directly out of the K Drive we
don’t that that’s like a one possible example um and uh yeah so starting to
feel off I’m rambling a little bit no that’s I appreciate that those are good points and I was gonna say that that
shared responsibility Matrix um and you know um the the ways in which other
platforms forms uh not just you know someone who’s Consulting with you for cyber security because often they don’t
have influence directly on the tools you’re using you know you’re using all kinds of different hardware and software
uh elements um and so getting that shared responsibility Matrix from your vendors where they can help you you know
this is software vendors this is hardware vendors you know um there’s sometimes really simple stuff like
certain types of Hardware is just not compliant so don’t buy that stuff know upfront right that that’s the
case so anyway um yeah I I I would say for sure on that and and then I would
just want to double click Paul on that build mature security SL business processes I know I’m kind of harping on
this but there’s tons of good simple stuff you can do as business processes that increase your security posture
dramatically and tick some boxes on the cmmc controls right to your point Nick
awesome well we are getting way behind schedule we’re going to have to pick up the pace a little bit here so let’s just very very quickly so sprs or Spurs score
this is um this is basically how you’re doing on those 110 controls I know Tyler
you’re all over this you want to just share a little bit about what this means for people um yeah if you do have uh D 712
on your contracts then you will have to have your Spurs score um submitted um s
s sprs I forget what it actually stands for but I know it’s a system within p e and I’d also forget what that
stands for but um you’ll have to have that score submitted um in order to be
compliant and if you’re doing any work direct with like the government like you know on like sam.gov um in order to
obtain uh technical information that’s classified as KU you will need that score
submitted awesome and I just shared a couple of links so grab those links in the chat um and sprs I belied is the
supplier performance risk system but I also have no idea what p means but anyway um good stuff there let’s move
along um so identifying cui and scope and boundaries that’s that’s a really
big part of this um Kelsey do you want to take this one sure yeah I’ll just
talk real briefly about this even though it uh I’m not going to spend too much time on it even though it is probably one of the single biggest things you can
do to minimize the burden um you know if you decide that uh that you’re going to
you know appropriate scope and what I mean by that is you know Define where the cui is going to come in flow through
your company and then reside uh in terms of long-term storage and you know uh
later use that will really determine those assets we were talking about um so
you know whether certain terminals certain routers certain uh software platforms are actually interacting right
are are processing transmitting or storing as they as they list right there
and so set setting up those flows um and one of the things that I think is super important about it is identification um
so we’ll talk a little bit more about that later but um you need to be able to have a system that immediately
identifies and then tags cui so that you can treat it properly uh it’s it’s
nearly impossible to expect your entire company to treat it properly if you haven’t identified it as that kind of
information so we’ll talk about that a little bit more later but that flow and uh being able to scope correctly will
help you on your assessment um dramatically okay great um should we
touch just on the the the three main basic Dimensions storing transmitting and processing Ty yeah I know we’ve
talked about it real briefly but you know storing is pretty basic which is like wherever it’s actually sitting you
know in some kind of uh you know State like a hard drive or you know a backup
drive or a cloud storage provider um because clouds or a filing cabinet even
just on the printer just sitting there you know at the machine on paper absolutely all those things right um if
you sent it as part of a package to your plating supplier because you need to tell them where to rack the part
appropriately but you’re sending them the drawing of the part that’s that’s UI
you’re you’re transmitting it to them uh maybe in the box or maybe you know in your email or wherever it is um so yeah
for sure those three things okay uh
and once you define those boundaries I guess part of making sure you’re compliant is that you’re not letting
that cui leak past the boundaries that you’ve set for your own company and every company will have slightly
different boundaries based on their their Network and their people and how they’re choosing to to meet the
compliance requirements that a fair way to say it I think it’s a good uh you
know a good way to describe it and I think that an example of this is you may have certain aspects of your um even
Local Company infrastructure that don’t have any way to access this kind of information the simplest example is your
guest Wi-Fi like everybody should have a guest Wi-Fi don’t have just one Wi-Fi for everybody who shows up and that way
anyone who’s on the guest Wi-Fi is what they call logically separated right from
that so so you can’t there is no path from your guest Wi-Fi into your cui data
so yeah absolutely creating those boundaries and knowing um physically and digitally where they are usually it’s
the front door is the physical part right like that’s pretty common so yeah
yeah and there’s still lots to work out there like what if you send stuff UPS like oh you’re sending cui with UPS
how’s that going to work there’s a lot of question marks St just a well I was gonna say I really
like the guest Network example because that that’s one of the ones that we didn’t occur to us till we started working on this that it’s wise to maybe
have a separate router outside of the firewall for your guest Network and so that that’s why I I really like your
point that some of this is just good practice that you should probably do regardless um
so thanks fantastic all right I know we could go on that topic for a long long time let’s
going to switch switch directions here and just talk a little bit about how we are trying to help our clients meet this
um and we’ll start by saying that prap is just one puzzle piece in a much
bigger effort you know we’re not claiming to do it all we’re not claiming to some kind of miracle cure but we are
definitely working very hard to make this uh less costly less honorous and a
little bit simpler for our customers so I’ll share a few screenshots here but we’re basically talking about some basic
just security settings that we’ve built into Pro Shop we’ll talk for a minute about Pro Shop Safe which stands for
secure access file ecosystem that was Kelsey’s brilliant naming um I was
leaning to more to Vault but safe is definitely the best name um and then uh
we uh for sure are you know on um going to be getting on the path for fed ramp moderate equivalence or certification I
guess it will be um and we for sure share our shared responsibility Matrix with clients that shows you know what
they are responsible for what proshop can cover and what uh AWS in the gov
Cloud you know says that they got covered so you don’t need to and we don’t need to worry about those things
um so let’s jump first into security settings so if there are any Pro Shop customers on this webinar and I can’t
see the list but uh make sure you go into your security settings and turn some of these things on um and there are
basic things like you know what we call our password validation rules like uh and we have programmed in specific you
know um cmmc compliant password rules uh as opposed to you know having a three
you know a three character password that that is super easy to hack um things like you know disabling uh uh inactive
sessions or when you need how often you need to reset your password or things of that nature um so if you’re software
doesn’t have these kind of settings you definitely should be asking them um about that anything on this Kelsey you want to
mention that that’s great Paul I mean there’s lots more but uh we’re also uh right natively
inside a pro shop managing um one-time password devices uh so we use UB Keys
which are uh I think kind of the gold standard for fips compliant which is another acronym um second Factor
authentications so uh so we can cover that requirement which I believe is one of the is that one of the specific Nest
requirements gotta have two Factor yep Y and and for sure just that on those hard keys yeah thanks Nick he’s holding it up
that’s perfect these keys are a very inexpensive and very secure way to manage this um and you know I think
there’s a lot of um broad acceptance that these kinds of OTP devices are um
affordable and extremely robust ways to do two- Factor authentication and people
have asked us about uh about um you know apps you know uh that can be used for a
second Factor um we’re still trying to understand that because I think a lot of shops are and I know Nick you guys are
going to No sell phones on the shop floor so you couldn’t really use an app as your second Factor um so yeah the
reason they’re doing that is I don’t know about you Nick but a lot of people are doing that is because they don’t want to manage you know 20 people’s cell
phones I so I had actually asked that question before we switched to U keys and it was U
because I I am just so uh comfortable with the authenticator apps like I have so many
um things set up on so I thought like is that an option and U and I was trying to set it up kind of uh hastily and um so I
had athenticator readily available to try out and so that’s why I was asking but I I found UB key just to be so easy
to set up on on Pro Shop that it was I I didn’t if I had known it was as easy as it was I probably wouldn’t have waited
so long because they are just like 30 bucks a pop and just buy a bag of them
and so so this is uh some information that is relatively new to Pro Shop we’re
calling it this is proshop safe um and we have a couple of screenshots where these new attributes are in the user
module so uh individual employees can be added to what we call a file access Security Group uh and then also
authorized for certain classification markings and in the lower right here we’re seeing an example of when you’re
attaching a file into proshop it allows you to classify uh uh those that those
files tag them you know with cui with FCI or whatever these you know itar
whatever it might be um and clients will have full control over that list they could use it for Hippa if they’re us if
they’re in the medical device industry um but uh we believe that’s an important
part of the the the marketing requirement and then limiting access to who can see what um and then on this
next screen just an example of uh the configuration behind proshop
safe where you can completely lock down uh the file storage that Pro that backs
up the Pro Shop you know application where you would be storing things like models and drawings and other typ of
things that would be cui uh and uh being able to very precisely limit who can
access and do what to what folders and files do you want to add anything to that Kelsey I know you’ve been deep into
this yeah I mean the other thing that um I certainly think is valuable about
information aggregation which is like if you’re looking for information about a part number it’s tough if you got to go
look in five different places for the information to understand what’s up with that part number so the idea of like
siloing cui in one spot but all the non cui information in some other area that
you would then have to reference maybe two or three different places that gets kind of tough uh from just a transactional daily work basis so if
instead you can employ a technique like this where you’re classifying that information is cui and therefore
protecting it right in the same directory right in the context so that folks who are allowed to see it can see
it and folks who are not are not but also um it’s readily available to the
right people at the right time that seems like the the the good combination in this case and that’s really what we tried to go for here with Pro Shop safe
and those classifications awesome and I do want to point out um and I’m still learning and
exploring this whole notion but we’ve definitely had clients that have shared that they are they have eliminated their
local servers they even are eliminating their domains and work groups they just have basically a collection of computers
you know Pro Shop terminals in their shop that are directly connected to the govcloud you know through this through
Pro Shop safe and and their second Factor authentication and they’re really trying to go for like pretty much a zero
digital cui on premise model where they’re just it may it could be that
their entire local company’s network is not within the SK COI boundary um it you
know I’m not saying that’s possible I’m just saying that’s that’s that’s what um I’ve heard some are trying to achieve
and it’s possible that that is maybe from a storage perspective that is absolutely something I think that that
could happen uh from a processing perspective every terminal’s got to process it so of course you know the
terminal is in scope yeah for sure yeah good great distinction and then last uh
couple more here this is actually this is I this is the very latest hot sort of
beta this is actually a beta test um screenshot that I was given permission
to share um this is where you can even take anything in your Pro Shop cloud
storage drive and and very quickly add or remove or replace um classification
markings uh across you know hundreds or thousands or tens of thousands of files all at once so um it’s uh it’ll be a key
part of that classification uh system so looking forward to having clients get to play
with this um and and then this Kelsey I’d
love to have you just share very briefly on this one couple minutes on this this is um this is specifically targeted at
companies that you know um don’t have a big budget uh to you know work through
the entire process of uh cmmc and you know the whole plan uh and then
executing on all of their poem and then you know keeping up to date with all the
things that they’ve made so you make a list of assets and you’re like oh good I got an asset list the question is is
that always being updated exactly as it should be and typically when it’s a spreadsheet um you may not be keeping
that as current as you wish you were uh so this uh this slide really just shows
some of the ways that specific modules within Pro Shop are being leveraged by some clients to uh not only manage their
compliance Journey um but then also remain uh compliant and and continue to update their their processes um and use
a lot of the proshop ecosystem to do that fairly effectively so won’t spend a
lot of time on it but you know being able to do things like you know the documents module for a system security
plan or you know the equipment module to keep track of those assets those kinds of things are all um ways which you
could leverage Pro Shop and that you’ll see a lot of that specificity in a shared responsibility Matrix we’ll
outline specifically how each module can support each control and this just hearkens back to
the the really solid advice that uh that security practices are really just good
mature business practices um and uh these modules that are in orange here
these are modules that have been pushop for you know more than a decade and they were built for our qms uh compliance but
they happen to be just really solid to to apply for these you know security focused business processes um so we were
kind of as we were kind of mapping this out we were kind of pleased to to realize that you know what there’s a lot of it that can be managed right in here
without needing a ton of spreadsheets or other software and uh for clients that want to want to use that
um it’s kind of there for them to to scaffold that and correct me if I’m wrong kelse we are uh we have a few
clients sort of beta testing what we call our sort of security flying start package if you will we need a better
term for it but uh where they’re kind of we’re helping them Implement their cmmc
Journey using all these modules that’s correct yep we we have you know um
several hundred documents and templates and queries and systems that are built
right in uh to Pro Shop using these modules that we have some clients beta testing uh that right now okay awesome
and as we were preparing for this and going through that responsibility Matrix um we identified that of the 110
controls of the N standard proshop has built features and has functionality that directly manage or partially manage
55 which magically is exactly half of 110 controls so um we’re feeling pretty
strong that we are hopefully making an impact in our clients to make it less less cumbersome less expensive um and
it’s like it is going to be manageable for them to do that um without just a crazy crazy budget um hopefully you
don’t need to spend that $1,000 a lot of on that Journey people are saying it will take way less um
selecting a C3 Pao uh besides having a friendly robot at your side maybe Tyler
do you want to share a little bit about what um you might recommend for
this um this is actually not something I’ve uh really looked into yet okay so I
can hand I can hand it off to Kelsey but I I would say um getting your you know
if you’re just starting out on your journey finding your subject matter expert um who’s who’s going to help you
is is um going to be very important first step and then um the I would say
the C3 Pao could be the focus after that yeah this would be once you feel like
you have all your Spurs score is like 110 or whatever the total like you feel like you’re actually ready to go get
audited is this about the right time Kelsey maybe you would think yeah I mean I think I think that because it’s
actually you know sort of conflict of interest for the very people who helped you get there to also be a third party
um you know that’s kind of the definition of third party they weren’t involved in in your whole journey um that that this is later in the game that
being said I know they’re in extremely high demand right now um so you know you may if you’re looking to expedite your
timeline a little bit um you know try and get on someone’s calendar uh in advance of when you’re actually ready
because if you wait till you’re all done and dusted um you could be along wait for that now I think if you’re all if
you’re all done and good anyway and it isn’t um yet on your requirements list to to have the actual assessment um you
may be in perfectly good shape to look for that C3 Pao after the fact and since they’re in high demand right now it’ll
become easier and easier I think to to find these folks there is a Marketplace
um of cyber AB accredited third parties
you know certified thirdparty Auditors um or assessors I should say um if you go on the Cyber ab. org site they have a
Marketplace there of all folks who have um pass that bar uh because those are
the people who are graduating these AIT aors great advice probably good just
good thing to think about just being you know we mentioned earlier I know when cmmc really got traction companies were
just coming out of the woodwork saying that they could help and they can help get you compliant and you know weeks or
months and just you got to be really careful about uh people that are praying on um companies that aren’t really sure
exactly what what it’s going to take so just be really cautious there yeah can I just say Paul on that one um if you
think of it conceptually more like some of the other requirements like becoming ISO certified or becoming as certified
and realize that you actually have a lot of the control in the situation you’re building the processes you are driving
the behaviors in your organization this isn’t a nebulous Tech thing there are actually very few controls that are kind
of this like weird Tech magic most of the controls are all things that are very much your business and how you plan
to do it and I think if you come at it from that perspective you’ll have a lot more not only confidence but success in
finding the right fit for your organization uh to help you and to get audited you are very much in control
yeah yeah awesome and I noticed in the chat Scott and Tim are chatting about
VLS I presume that’s a virtual land so um and Tim thanks for mentioning Pro
Shop on premise we haven’t mentioned that we certainly do have a a handful of clients that do pro shop completely on
premise even behind a full air gap where their network is not connected to the outside world at all um so that is
something we can support as well so um so marketing uh you know I think
Tyler you you know sort of set the right tone earlier this can be very much a strategic uh move that companies can
make um to be on the you know maybe not on the Leading Edge if they’re not
starting yet but be really proactive to get this um it will be something I think
uh even companies outside of the defense space will appreciate about a vendor um
feel confident that they their data will stay safe there um couple of other
points don’t say you’re certified if you’re not you really got to use the right terminology talking about your
Spurs score and just how many of the controls you you meet um and uh you and
if we were prepping for these you guys were debating that whether you do or do not publicly
share your spu score you want to just touch on that real briefly I don’t I don’t know about
publicly but we’ve been asked for it um by two customers now asked for it and I
guess if I could answer that quick question about how often you should be doing it our what we were trying to do
is um do it like as often as your poem so like as as you’re making updates to your score they should be reflected in
Spurs and I think that’s really good because it shows your progress in Spurs you don’t just have one number of a
score you have your record going from five to 10 to wherever you end up yeah
and so I think it’s wise to be doing it as often as you’re making changes and then I I don’t know about sharing it
publicly but we we’ve certainly shared it with customers as part of a I think customers wise yeah especially if
they’re asking yeah so Kelsey’s been a champ at answering chat qu or Q&A
questions via text this whole time um so I think Tyler you just covered Adam
Zimmer’s question about changing Spurs scores um and we are running a little long but uh I want to just say thank you
so much to everyone to Nick and Tyler and Kelsey for all your expertise today
Nate and and modern machine shop for hosting us um yeah hopefully uh people
got something valuable from this that helped them in their decisions and their Journeys going forward
for sure yeah thank you Nick thank you Paul thank you Tyler thanks Kelsey um and thank you to everyone for listening
in and thanks to Pro Shop for making this webinar possible um and just a disclaimer you all should receive an
email with a link to the recording to this within the next few hours um so thank you everyone I think that’s a good
spot to end it and I hope you all enjoy the rest of your day thank you all and Happy Holidays thanks
Nicky yeah appreciate it
[Music]
