Breaking Down the CMMC Requirements

Unsecurity Podcast

Thanks to Brad, FRSecure is now an official CMMC Registered Provider Organization (RPO). Given this, and the CMMC requirements beginning to trickle out to DoD service providers and supply chain, he and Evan chat about the upcoming CMMC requirements. Tune in to episode 114 to get an idea of what it looks like, what FRSecure is going to do for it, and what you can do to start preparing. As always, feel free to send questions, comments, and feedback to us at unsecurity@protonmail.com.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Good morning. Thank you for turning into this episode of the Unsecurity podcast. This is episode 114.

[00:00:28] Evan Francen: Yeah. Yeah

[00:00:29] Brad Nigh: wow. Day is two January 2021 which still feels 12. Oh my gosh. I totally read that on January 12. Oh boy. That’s a great story. We can tell where this is going to go today. Uh Oh I’m, I am joining me as usual. My good friend and coworker Evan Francen. Good morning Evan.

[00:00:52] Evan Francen: Good morning man. How you doing?

[00:00:54] Brad Nigh: Well, I think the fact that I can’t read the date, it probably tells you a lot.

[00:01:01] Evan Francen: You know, we all make mistakes man

[00:01:03] Brad Nigh: kicked in yet.

[00:01:05] Evan Francen: No. And I’m here at this uh Cancun coffee shop and they don’t open till nine. What kind of coffee shop doesn’t open till

[00:01:12] Brad Nigh: nine.

[00:01:14] Evan Francen: Yes. I sit outside and wait for that door to open. I’m gonna go grab something.

[00:01:19] Brad Nigh: Yeah. Oh I guess you’re, you’re an hour ahead. I was like, I couldn’t wait two more hours for coffee but even still waiting another hour for coffee.

[00:01:29] Evan Francen: Yeah. Back in the resort. They, They have copied the cop shop opens at seven and so I went in there on the way to walk down here. You know, it’s about a mile to walk here and there’s a huge line like some of the gun man. So I just screw it, wait till I get here. And

[00:01:46] Brad Nigh: By nine you usually like what, four or 5 coffees in?

[00:01:52] Evan Francen: Yeah, it’s about lunchtime. Right. That sucks when you have your first cup of coffee at lunch. Mhm,

[00:01:59] Brad Nigh: wow. How’s it going down there?

[00:02:02] Evan Francen: It’s going well man making progress in the book. You know, we have the drama last week and this week it get my head sort of straight. Um I think we have a really good outline for obesity. I don’t know what the title is going to be exactly, but you know, it’s going to be a B. C. So handbook essentially if you’re not doing these things, these fundamental things in providing a beast and it applies the same things apply to a C. So really but my primary target is let’s get some of these VC. So as to start doing things the right way set of, you know, just taking a bunch of money.

[00:02:40] Brad Nigh: Yeah, that would be nice.

[00:02:44] Evan Francen: Yeah, I think we’re settled in Marlys, my wife was, she got down here, I think the day after the podcast last week.

[00:02:51] Brad Nigh: Okay, good. Yeah, I meant to ask and it got away from me and then it’s like, oh whoops.

[00:02:57] Evan Francen: Yeah, so she had, she had surgery on friday and yeah, so she had no teeth. So I made fun of her. Uh huh a camp for a little bit.

[00:03:10] Brad Nigh: I mean one of the few times. Right, right,

[00:03:14] Evan Francen: it was a good new release for security studio that was kind of exciting. I like the s to me additions, we added threat monitoring in there, which I think is nice because security is not a one and done right? We need people to okay, Do your assessment, find, start making some changes, but then come back. Right? Yeah, there’s yelling at me.

[00:03:37] Brad Nigh: Yeah, I’m kidding. Um you know that it’s Yeah, I like that. I thought it was really good. Um what was, what’s interesting is when I was looking for news, there’s actually a story on the infotech magazine that two thirds of people uh don’t consider security when working from home. Yeah, it’s

[00:03:59] Evan Francen: Like, yeah, this is the year 2021, right?

[00:04:03] Brad Nigh: How do you not do that?

[00:04:06] Evan Francen: Well, we come from a different perspective and, you know, to us it comes natural, that’s always been the challenge is how do we make security shit? How do we speak the language that resonates with non security people will keep doing this forever, I think, I don’t know. Yeah,

[00:04:23] Brad Nigh: it’s well, you know that your office in the chat, so you have it. Um but you know that yeah, people are going to continue to work remotely after this. It’s not like one day everybody is going to go back into the office full time. We’ve seen there’s a fundamental shift and how this is working. And so this isn’t only become a bigger and bigger deal,

[00:04:51] Evan Francen: right, man. And you know, I was actually say, you know, I do it somehow. I became part of the coffee club down here with a bunch of old

[00:05:00] Brad Nigh: oh yeah,

[00:05:01] Evan Francen: old geezers that I mean that not Yeah. Loving

[00:05:06] Brad Nigh: term, yeah,

[00:05:07] Evan Francen: yeah. And they were talking to me yesterday a coffee about um just fundamental surround information security and you can see almost immediately that they were overwhelmed. But they felt people talking to me because I’m part of the group, right? So I became part of the herd. They asked some some great questions about just you know, basics. One of them had actually heard of the solar winds attacked him. So I asked me some questions about that. Uh you know, I said just really got to focus on the fundamentals and then you know that one of them is a doctor, is that? So one of the fundamentals, I’m like funny, you should

[00:05:52] Brad Nigh: ask,

[00:05:55] Evan Francen: you know, one taking and sort of all the stuff you have, do you even know all the things, you know, we’ve talked about this on this podcast before, right? Uh and here’s some ways that, you know, and I showed him some ways that you can do that. And I said once you feel comfortable at the hardware stuff, you understand where that stuff is. Then you want to dig into the software, what kind, what software are these things running on my iphone, what applications are my using,

[00:06:19] Brad Nigh: what do they have access to?

[00:06:21] Evan Francen: Right. So I had him whip out his iphone and showed him how to check all the applications that solving an iphone and then I said some of those applications you never use. Mhm. Get rid of it. Right. You know it’s just it’s just more complexity. It’s more things that you need to update and patch wall. What was it was just a great discussion. And so I figured if I can resonate with You know these guys are 70 I think Dick is like 81. If we can resonate with those people, why can’t we get these two thirds that aren’t taking security seriously at home? Mhm. Yeah because it’s not just like protecting the business. What about your family?

[00:07:06] Brad Nigh: Well yeah I mean how what happens when your bank account is emptied

[00:07:14] Evan Francen: your kids are preyed upon. Right.

[00:07:17] Brad Nigh: Right.

[00:07:19] Evan Francen: Yeah. It’s a dangerous place you know and then this week with all the you know the twitter stuff and the amazon and the parlor and google apple, google amazon twitter all banning parlor that causes a whole bunch of concern for a lot of people and it doesn’t matter if you’re left or right. It’s this expression of your opinion is being suppressed. Voices are being suppressed. I don’t know man. It’s a weird weird 2021 and getting all right.

[00:07:55] Brad Nigh: I was going to say it’s not a great start. No um wow. Yeah it’s crazy. Yeah I’ve been really working on, we’ll have to, you see, so the solar winds thing really hasn’t, we’re doing a bunch of threat hunting but those are all wrapping up, we’re not seeing anything um really malicious, which is nice. It’s a bit of a relief. Um so we’re wrapping up the majority of the threat hunting and we’re just gonna let let some of these uh installs do there time out and just keep monitoring. We have alerts set up so that if anything were to run we would catch it. But that was a pretty big release it there was no, no, nothing malicious that we really found.

[00:08:50] Evan Francen: Well last friday wasn’t it didn’t Oscar and I think was an Oscar eric and pinky, they do their first under the hood threat until series on friday.

[00:09:08] Brad Nigh: Who is the Yes. Yeah, I wasn’t able to tune in. I had meetings unfortunately, but I believe so.

[00:09:17] Evan Francen: Yeah, that’s cool man. It’s cool to get the word out about, you know I had a meeting with hospital yesterday morning and you just talked about, you know how impressed I am with this team, you know that team is growing. They decided a new

[00:09:31] Brad Nigh: Esther

[00:09:32] Evan Francen: and I think they could probably use a couple more I think they’re booked out on april right now.

[00:09:38] Brad Nigh: True. Um Yeah, it depends on what they’re looking at what people are looking for for. So I think for some things. Yes,

[00:09:46] Evan Francen: so you know that’s all positive stuff and the thing that I’m the most impressed with that team is you can teach skills to anybody, right? Not only does this team have skills, but they got scruples man there. Damn the two.

[00:09:59] Brad Nigh: Yeah, I mean in december I think it was, I can’t even remember uh, one of their guys found awareness is guys found a uh, basically zero day and one of the hardware device and reached out, reach out, made a responsible disclosure. That’s pretty cool that, that it wasn’t, you know, out there anymore and immediately stopped and I was like, okay, wait, we gotta, we, we need to reach out to this company and let them know.

[00:10:33] Evan Francen: Yeah, absolutely. So for listeners team ambush as we were talking about that’s empire secures technical services team. And if you, if you google under the under the hood team ambush or something like that, you’ll find what it is. I’m talking about. They do it once a month. There’s just kind of candid open talk about the things that we’re seeing in their threat hunting exercises. I ours. Yeah, it’s

[00:11:02] Brad Nigh: a more technical, you know, we keep this fairly high level and don’t really deep dive technically, but there’s is very much, um, a technical discussion. So it’s a different, it’s different than what we, we’re doing.

[00:11:17] Evan Francen: Yeah, the geeks would like it. Yeah,

[00:11:21] Brad Nigh: yeah. All right. There’s there’s the, youtube for that one on they did last week. Yeah. But yeah, it’s amazing what that team has done, you know, as crazy as a company. You know, we’ve hired, we hired a new consultant that started in basically in the end of november early december. I think she started the week of thanksgiving. You know, we’re hiring pen testers and uh still being very busy during all of this. It’s pretty, pretty awesome. It’s a nice, it’s a nice feeling.

[00:12:05] Evan Francen: Well, I feel best about it because it’s so good for our mission, right? We know that from my perspective, I know that each and every customer that we’re working with is getting good care, right? It’s being done correctly. You don’t take shortcuts. Yeah.

[00:12:20] Brad Nigh: Yeah. I actually had a call with a potential customer yesterday afternoon um that had had some work done by a big firm. I’m not gonna call anybody out uh around implementing office 365. And he was like, yeah, it’s great. They turned it on and then we’re like, okay, here you go. Right, well what should be doing for security and what do we do? And they said, he said they just simply send him some Microsoft links and said that’s not part of the statement of work, good luck, like no, that’s not, here’s what you’re gonna get from us. And like if you are working through this and six months from now, you like, shoot, I don’t remember what they were talking about when they on this control. Let us know where we stand by our work, we’re not gonna leave you hanging just because it’s been six months we delivered a product and if we didn’t do a good enough job why wouldn’t we take a half hour to explain it to a customer to make sure they get they able to do that what they need to do

[00:13:26] Evan Francen: one and why would you ever consider an installation done when it’s not secure? Right? It’s not done. You know, it’s supposed to be secured by design. You should know better. You know, it’s all a firewall with plug this shit, excuse my language, plug it in, you know, default password any any and yeah there you go. Well how do I use it? That’s not part of the engages

[00:13:49] Brad Nigh: the checklist. Good luck. Right, come on. So yeah

[00:13:56] Evan Francen: pay your bills because they got big lawyers probably. Yeah I mean not big like big or fat but just a

[00:14:05] Brad Nigh: lot of them.

[00:14:07] Evan Francen: Yeah. Yeah big degrees and lots of letters after their names and such.

[00:14:11] Brad Nigh: But anyway um But yeah other than that I think the biggest thing obviously that I’ve been working on is C. M. M. C. I got my registered practitioner

[00:14:22] Evan Francen: nice

[00:14:23] Brad Nigh: last week of december. Uh It’s been a couple of weeks it was I mean it’s training on standard, it’s not exciting but it was actually pretty, there’s a lot of good information uh in it around how to what they’re gonna be expecting and things like that. So it’s I think it’s gonna be good. So I think that will be the topic today, we’re gonna talk through it and I think if I’m not mistaken you you don’t know a whole lot about it other than some high level stuff, correct?

[00:14:57] Evan Francen: Yeah I read it

[00:14:58] Brad Nigh: okay well in that case I think maybe it would be good. I was thinking you know as we are clearly winging it, I’ll just start we’ll talk about it and if you have questions or anything let’s just have a conversation about what what it looks like, what we’re gonna do for it and what people can do to start preparing

[00:15:19] Evan Francen: like it man. So how did you, what does it take to become a practitioner?

[00:15:23] Brad Nigh: So you have to be associated with a employed with a registered burn archeo which is a readiness basically uh company. So we applied for that in. Mhm july and I think we got it approved in like early december. Um because they had some issues with that. So were first curious and RP oh we’re on the marketplace and then you have to uh for being a registered practitioner you have to go in uh fill out a little bit about yourself, submit a background check, it’s just a basic one looking for, you know the the big things uh and then once that’s approved you just have to go through this training and passed the quiz is uh you have to have a 80% on on all of the different quizzes. Uh And then so the code of conduct and that’s I mean it sounds easy but you know it was I think it’s like five hours of video training plus with the test that comes out to be about six hours of content for it. So.

[00:16:36] Evan Francen: Okay so it’s not like instructor led one week, two week course or anything, They get videos and you watch those, take your quizzes and pass. Yeah

[00:16:48] Brad Nigh: it’s really more focused on kind of like what what led to this um What’s included what are the different levels mean what are the assessor is going to be looking at, how can you prepare people for getting, see MMC certified? Um You know it had c there was things like that, you know, around the D. Fars and and all that. There’s around what the different groups are. So there’s um you know the organizations seeking certifications that your company’s the R. P. O. S, the £3 and then you know how to how are disputes handled? How are these these different things handled? It didn’t go into so much the actual content of CNN c but more around the concept of it and how it’s going to operate? Okay.

[00:17:48] Evan Francen: Yes. So going into the certification versus now that you’ve been through it, you know you feel better about seeing them season you did going in about the same.

[00:18:00] Brad Nigh: Uh No there was some really good information in there. Um You know there wasn’t there hasn’t been a whole lot out there. Uh It’s still fairly new but it was there was some really good stuff in terms of what this is going to look like what the expectation is. Um You know we didn’t know. So what does certification mean? Right. What how you what are they going to be looking for? And so you know now it’s you have to go through depending on what your level is. You have to have two out of three forms of evidence at least. So that could be uh documentation um testing or interviews. So you have to have at least that if not All three. Right? It depends on what the control is and how I guess how good the auditor or assess their feels about it. Uh And the other big thing is is you have to interview the person directly responsible for the day to day in and out of whatever it is. So if you’re looking at in point protection see I o can’t be the one being interviewed unless he’s actually doing the work. They’re gonna want to talk to the society for the help desk or whoever. And it’s like the bead auditors discretion if they allow anyone. But the person they’re interviewing in the room during the interview. So it’s very much a um there’s a lot of confidentiality around it and they don’t disclose the contents of those interviews are private and self

[00:19:39] Evan Francen: you can’t disclose the contents of the interview. Even with like the C. I. O.

[00:19:43] Brad Nigh: Right. Hello. Yeah. Well they want is what they said.

[00:19:49] Evan Francen: So they but about you as the R. P. O.

[00:19:53] Brad Nigh: Oh is the RP? Oh we’re just we’re going to be helping. So we’re gonna you know it would be more trying to coach people up. Okay when they go into those interviews they have what’s necessary to be successful.

[00:20:06] Evan Francen: Okay. Until the three power then when the £3 engages They interview say the Sys admin one and the ceo wants to know what’s discussed in that interview. They can’t share them.

[00:20:21] Brad Nigh: Yeah. I mean I think I’d have to go back and double check. I think they could if there was maybe if there was something that was like can like uh an actual threat like the sys admin said, you know, he’s actively undermining it or something. But there’s no big, they are under no obligation to share it,

[00:20:42] Evan Francen: wow.

[00:20:43] Brad Nigh: Yeah. By default, they’re not going to share the the the information disclosed in the interviews.

[00:20:50] Evan Francen: All right. So today who needs to be see MMC surfing

[00:20:55] Brad Nigh: it. Don’t. Right now there’s very few. But ultimately at the end of the day, anybody that has a federal contract information Fc I. With the Department of Defense will have to have some level of C. M. M. C. And this is the part that surprised me is you know, and because I didn’t haven’t thought of this but he’s like yeah that chicken farmer that supplies chickens for the military, they’re gonna have to give the C. N. M. C. Level one certified the janitorial service. The and you don’t think of those people, you know, all the, you know the different farmers are different. All these really kind of non what you would consider information security or you wouldn’t think necessarily think about being in uh D. O. D. Supply chain but it’s going to be pretty wide ranging.

[00:21:53] Evan Francen: Yeah. And so I would assume so uh if you are one of those organizations that has an F. C. I. With the D. O. D. Uh huh. It may not be coming right away but you’ll need to become see MMC certified at some point.

[00:22:07] Brad Nigh: Right. Yeah. Five. Well in fiscal year 2026 every duty contract will have a C. M. M. C. Requirement

[00:22:16] Evan Francen: by the wind

[00:22:17] Brad Nigh: by 2020 2026. Everyone every single D. O. D. Contract will have see MMC requirements. Okay they’re gonna ramp up to it. Um Over the next couple of years. I think the big jump kind of this year, the next year is kind of a low slow ramp up and then it goes up a little bit in 2023 and then to jump from 2023 to 2024 is pretty significant.

[00:22:41] Evan Francen: Okay and so uh so as a business if I have one of those FCS, I know that CMC is coming. My other business or my other choice is a business is to not do business with the D. O. D. Right.

[00:22:53] Brad Nigh: Right. And yeah, basically, and I have a feeling, you know, I don’t have any proof of this or any evidence that my gut feeling is, has this deploys and get spread. I wouldn’t be surprised to see other government entities start to adopt this requirement. Mm. You know, why wouldn’t they? Right. They don’t contract information and then the controlled unclassified information. Yeah. Why would, why would you start putting a standard in place to protect it?

[00:23:31] Evan Francen: Well, that’s the thing. I mean, there are so many standards. I think the big challenge that, you know, that, that’s one of the things, you know, one of the points I make in the book do is, I mean there’s so many standards SCS and STS P 853. So you know, d fires. I mean there’s just so many what people struggle with is how,

[00:23:56] Brad Nigh: yeah, Well, and I think I will be honest, I’m pretty impressed with how this is rolling out in terms of, hey, you’ve got, these are pos that their whole, their sole focus is helping you prepare for it. And there’s a marketplace for it on the government website. So you know, you know, if you get one of those, if you hire one of those people, they should be pretty good, right? They have signed the code of conduct and there’s all kinds of things around how if you’re the osc the organization seeking certification, uh you know if you feel like somebody is doing you know doing it wrong or is being unethical how to report them. So they’ve got a lot of uh some pretty good controls in place. They also have the requirement. If you’re you can either help with readiness and coaching or consulting or you can do the assessment, you cannot do both no matter what, even the same entity cannot do both even if it’s in two different business units or whatever, nope.

[00:25:01] Evan Francen: I love that that that part I really did.

[00:25:04] Brad Nigh: Yeah the the one caveat to that is if you’re the three power that will be doing the assessment, you can do a readiness assessment like a gap assessment but it cannot include any advice. So it it would be literally like going in and basically doing a mock one and saying okay here you pass failed here here’s your report but you can’t provide any documentation, any training and consulting. And if you do you risk basically losing your certification.

[00:25:32] Evan Francen: Right. That’s cool. Mental. Can you see us maybe taking a building a readiness assessment within security studio?

[00:25:43] Brad Nigh: Uh So I’m almost done with the readiness assessment workbook. Um And so yeah, I mean I think it would be it would make sense to do a CNN c specific uh being where because I said you have to collect actual information you have to document who you interviewed and you know that would I could see where that would be like a great tool for any of those organizations that are looking for it to be able to pull that up when the auditors are there and say look here’s everything we need here is our evidence. You know it really would give them a very organized approach. Is any time you’re looking for auditors the more organized and easier you can make their life, the easier they’re gonna make yours

[00:26:32] Evan Francen: exactly what I’m just thinking to. That Customers should self us. So would you call them and 00sc

[00:26:40] Brad Nigh: organizations seeking certification?

[00:26:43] Evan Francen: Okay. So and I want to see uh first step I assume is we want to do that readiness assessment. Right.

[00:26:50] Brad Nigh: Yeah I think our our approach is going to be so we’ve mapped the S two or 2 all the all time levels of CNN’s now realistically I mean probably I would guess 90% are going to be level three or below At least if not more. So you know level four and five are going to be a kind of a one off. So we’re really focusing on those one through three that you know really going to be the biggest um group. Um So yeah you could do a readiness on your own. You don’t have to be he eventually certified to do it. Um I think the benefit was working with you know staff are secure some another R. P. O. Whoever it may be is all these little nuances that maybe you don’t realize or you know looking at that evidence and going no that that doesn’t actually meet that requirement. Um It would be worth it to do that but we worked we mapped it. It’s a snapshot in time I guess right. It would kind of be like a high level readiness. Where are we at? What are we missing? Because when we do that we’re not necessarily digging in and requiring and doing testing on that. It’s it’s an assessment to see where you at where are your risk levels and then dig in from there. Right. Yeah so that will give you an idea of where it starts. So for from our standpoint we’re going to start using that as a All right. We know you’re gonna need to be level one And of the 17 controls 15 of them don’t fully satisfy it. Alright let’s start working on this. Um And then once we get to a point where feel like yeah we’ve got everything in place and we’re in good shape. Now let’s do that deep dive gap assessment and actually collect the evidence that you’ve created and interview the right people and basically do kind of a mock of what’s going to happen when the ancestors come and make sure that the evidence does meet it. Mm The other thing is they say you have to have a significant period of time for the evidence.

[00:29:06] Evan Francen: So, so is that usually,

[00:29:09] Brad Nigh: so they question uh really define that uh me it would be at least six months if not a year of evidence that it’s there because the words he used was, it has to be, it has to be shown as part of the company culture. So if if they come in and you have a control in place that’s been there or policy that’s been in place for a month prior to the assessment when the three power comes in, that’s probably, that shouldn’t qualify. Okay, right. Uh the other thing is you have a 90 day, so couple of things. Uh, unlike the fires, you cannot have a plan of action milestones. You cannot have a gap, You have to have everything or you fail. Um, You do have a 90 day window for remediation and that is focused on mhm primarily things like, hey, the person that’s responsible for this is out on leave so you can interview him or we don’t have this evidence because you know, they would be able to provide it to you. Uh, they would be, that would be like kind of the The exception to be able to say, Okay, 30 days later, the person’s available, here’s our evidence and still show that significant period of time If you’re gaps are lack of documentation and you create that 90 day window. That’s not gonna fly because it’s not ingrained in company culture.

[00:30:35] Evan Francen: All right. So so it is really important that if you’re planning on doing business with the D. O. D. Or already are doing business and keep it if you get started

[00:30:46] Brad Nigh: now

[00:30:47] Evan Francen: yeah. You don’t want to get started. You know three months before he need to be certified.

[00:30:56] Brad Nigh: And who’s

[00:30:56] Evan Francen: going to tell you that You need to be certified

[00:30:59] Brad Nigh: the government contract. It’s explicitly state. It will say yeah here you this high CMC requirements. And then You know anybody that accesses this must have level one level 2 Level 345. So you have to assume if you have any sort of government contract your level one minimum right? That’s just the expectation. If you sign a government contract with the D. O. D. Expect to have a minimum of level one. If you have any controlled unclassified information you can be level three. That is you have to assume that by default the now obviously then I could afford all that until 2026 with every contract. But I mean that’s the reality is that you need to start thinking that way

[00:31:49] Evan Francen: right? And you know and I’ve read the C. M. M. C. I’ve read the the controls and the requirements and I mean a lot of it’s good business practice. Yeah. I mean we do live in a digital age. When Yeah. I mean it’s okay to do it too early. You don’t have to wait till the last minute.

[00:32:08] Brad Nigh: Yeah, for sure. I mean right now you’re supposed to be self certifying with the fires regardless,

[00:32:15] Evan Francen: right? You

[00:32:16] Brad Nigh: know? Well, so the thing is, you know, if you have, if you’re, if you’re self certifying with the fires and have a breach and they come in and you find out you’ve lied, go next. They’re gonna come after you is the false claims act. So it’s payment uh Is trouble damages three times a contract value plus a penalty of $11,000 per claim. So in the fiscal year indian in september Of 2019. Department of Justice obtained more than $3 billion dollars in settlements and judgments involving fraud and false claims against the government. So not really worth the

[00:33:02] Evan Francen: messing around.

[00:33:03] Brad Nigh: Yeah.

[00:33:05] Evan Francen: Eventually the stuff is going to catch up to you anyway, right? You’re going to get act out of business or the government puts out of business.

[00:33:12] Brad Nigh: Yeah, I mean, hey, I wouldn’t mess around with it. So getting started now is probably the best thing.

[00:33:21] Evan Francen: Right? So I’m a business, I want to get started, you know, I know that this is gonna be affecting me. Uh where should I go? Is their website.

[00:33:33] Brad Nigh: Yeah. Yeah. So it’s the C. M. M. C. Dash baby dot gov I believe. Um And then there’s a clip there a link there on their main page for um there isn’t for the marketplace. So I’m sorry, C N M C A D dot org. And then there’s a click, you click on that and there’s a link for a marketplace and then you can determine if you want. Um Yeah, you know who you’re looking for, You look up the registered practitioners, you can look up our pOS, you can look up the £3. Um, So I would start with an R. P. O. Right? Those are the ones that are dedicated to helping you prepare.

[00:34:20] Evan Francen: Yeah, I’m guessing most organs, the one thing I would put off till the last minute because personally would be the certification. I would do all the preparation and everything else and yet everything else squared away. I do probably a couple of muck certification interviews with my R P O. Or something Before, you know, bringing that three power.

[00:34:42] Brad Nigh: Yeah, I’m glad you brought that up. The thing is you don’t have to be um, CMC certified to bid on an RFP that has CNN C requirements. You simply have to be certified at the time the contract is awarded. So if you’ve done all the work, Yeah, why not wait till you know that you’re going to get the contract to get that certification, but you better be darn sure you’re gonna get the certification.

[00:35:11] Evan Francen: Well, and there’s nothing wrong either. I think probably on that website or in other places. Uh maybe we have something to, you know, you can do your own readiness assessment just to get a feel for what is this thing? How far away am I? There’s something wrong with doing that and then engage in our appeal to really? Because that’s kind of the stuff I think I would take I would go first, what the hell is it? Right to figure that out and do a self assessment myself, my own staff because it’s a good exercise for us to go through anyway. And then I’d engaged in R. P. O. Do another self assessment with the R. P. O. And then, you know, kind of go the coach with their

[00:35:53] Brad Nigh: yeah, if you have staff that can do that. Absolutely. I have a feeling that there’s a large number of organizations that are going to have siemens the requirements that do not have, you know the capability or the you know the expertise to do that. And that’s that’s good. And that’s gonna be a huge underserved market or percent of what we consider an underserved market right now, I mentioned how many security firms are helping out farmers, right? You know, we’ve got a couple of co ops that we work with but there I can tell you from experience security is not a top priority for them.

[00:36:35] Evan Francen: No. No. And honestly it’s it’s not a top priority for most business, isn’t it? Probably should. It just needs to be a priority.

[00:36:43] Brad Nigh: Right? True. Yeah. It’s something that a lot of places are not thinking about at all and that’s going to changed pretty significantly.

[00:36:52] Evan Francen: Yeah so okay. Uh Right so see MMC it’s coming it’s uh sort of your some practitioners so if I want to send a security person and you know I’m interested I want to get in on this game. The first thing I need to do is go get a job with R. p. O. or £3. Right

[00:37:16] Brad Nigh: yep correct. Yeah yeah and I like that. So you’re not going to have single people floating around there, There’s going to be I mean it’s a fairly big investment. I think it was Like $5,000 for us to apply as a company. Okay. But isn’t a huge number but it’s still showing you’re making a commitment to this? Okay. Right. Sure. As opposed to $500 for an R. P. For the registered practitioner. Right. That isn’t as nearly as big commitment anybody. Well you know Generally speaking anybody could go and pay $500 but now if you’re working with a company that’s doing that I think it adds some credence. Yeah

[00:38:05] Evan Francen: and if you’re advising customers you know see your security consulting company or security consultant and you don’t work for an R. P. L. Or £3 it’s still important for you to get you know kind of acclimated and understand. See MMC yeah it’s that that will need it. There’s nothing wrong with you consulting them there’s nothing wrong with you. Yeah. Giving them some advice. Just can’t the same level that in our appeal as a £3 can

[00:38:39] Brad Nigh: correct right? There is no requirement to work with anybody is certified by the C. M. M. C. Credit Ation body. There’s to do readiness for this. The benefit is, you know, that anybody listed on that marketplace has gone through the training and has signed the code of conduct knows what’s going to be expected and has gone through training, made that commitment

[00:39:04] Evan Francen: right. Well and it’s I think it’s important to work with our P. O. As well because the RPF was probably have some relationships with the £3 you know, they don’t now they will as they can keep going down this path. And like you said, certain auditors like things a certain way. It’s not the rules by any means or anything like that. It’s just I like it packaged this way or if you put an editor is a human being in a good mood to make their job easy. The questions are a little bit easier. I mean, it’s just looking at first,

[00:39:36] Brad Nigh: right, right. It doesn’t mean they’re not gonna be looking at the same thing. You know, it’s just that yeah, like you said, it’s how they phrased questions and dig in and kind of twist the knife at times. Maybe they don’t do that right? They say okay. Yeah, you’ve got that good.

[00:39:54] Evan Francen: Yeah. So I can certainly see the benefit of working with an R. P. O. And C. Why the three pal is they’re the ones that are going to be signing off at the end of the day. The either doing it or not. And I assume that they’re the ones that are also going to be held accountable if the company, I wasn’t doing what the £3 so that they were doing

[00:40:14] Brad Nigh: right? Oh yeah, it’s uh you know, it as a £3. Let me see if I have it.

[00:40:22] Evan Francen: What is £3 stand for

[00:40:24] Brad Nigh: certified third party assessor organization? So I just I just dropped the C It’s just £3. It’s just easier. Um you know, there’s there’s a whole bunch of things around um with ethical requirements and things like that. Uh And so the way that this will work is that I

[00:40:48] Evan Francen: was getting choppy.

[00:40:49] Brad Nigh: Yeah.

[00:40:52] Evan Francen: Yeah, the video is making it choppy here.

[00:40:54] Brad Nigh: Okay, well I’ll turn mine off to.

[00:40:56] Evan Francen: No, no, you’re good. Uh As soon as it gets better.

[00:41:00] Brad Nigh: Okay. All right. Uh so the way the work is the three people do the assessment. We all believed assessor. The team can be, you know, anywhere from one person to as many as it takes to have um the expertise for whatever the scope is for certification, then the Three Power will do an internal QA on it, submitted to the C. M. M. C. A. B. The C. M. M. C. A. B. will then do a Q. A. On that and either agree or disagree with it. But you know, there’s there’s a a path for organizations to submit allegations to the C. N. N. C. A. A. B. Uh And then on the flip side, if the C. M. M. C. D. B. Q. A. Process finds that three power is not getting the right influence. Alright. Evidence or things like that, they can they can lose their certification.

[00:41:58] Evan Francen: All right. I like that building.

[00:42:03] Brad Nigh: Yeah. I think it would be good. I think you know, it will be interesting to see and it kind of track who who has approved, who’s not approved, who loses because they’re not doing it right. You know, you have things where with like Pc I where they’ve gone after these some of these companies and now those companies are under additional scrutiny on every single rock they turn in, well, is that going to happen here? And is it going to be tagged in the marketplace Like it is on the P. C. I. Council site.

[00:42:39] Evan Francen: Right. Right. And so when is the first certification expected has already been done

[00:42:47] Brad Nigh: uh this year? I haven’t seen um If I don’t think any of them have been awarded yet, there’s only gonna be 15 contracts for the D. O. D. With CMC requirements um issued this year. Okay. So I haven’t seen when those will be awarded at this point. But again I wouldn’t wait because you’re gonna have the evidence,

[00:43:12] Evan Francen: right? And if it’s got to be part of your culture and you’ve got to demonstrate that you know, you have to have that long term, six months, one year plus sort of like this is the way we do things kind of thing. Yeah, I think a lot of people are going to get caught up with that because people do wait till the last minute and yeah, that’s that’s gonna suck. You heard it here, don’t do it,

[00:43:35] Brad Nigh: yep. No. And and I’ve had a high level conversation with our you know sales team and it’s like guys tell them not to wait if you’re talking to people did this have to be ingrained and they have to have evidence. Like I kind of see it as a combination of sort of a PC. I and talk to type two Pc. I in terms of its got fairly prescriptive requirements as opposed to talk to what do you write and say, hey here’s how I’m meeting this. Um but talked to in terms of Having to show evidence over the course of a you know, a 6-12 month window, it’s kind of kind of a mix of the two is kind of like feel on how these receptors are gonna be looking at things.

[00:44:19] Evan Francen: It’s cool man, all right, so people have questions, they can you can always email the show you can email anybody at fr secure. Uh huh You can email me if you want to be forever before you get a response. But

[00:44:35] Brad Nigh: yeah and we want to

[00:44:38] Evan Francen: make sure that anybody who’s got who’s confused with this can reach out and get answers,

[00:44:43] Brad Nigh: yep. Absolutely. And you know, we’ll be we have already got, you know, several companies that are going okay, well what does this mean? So it’s good, we’ve got three more people that are signing up and we’ll be going through the training here over the next three weeks. I think a couple of them are doing it next week and then a couple weeks out. So we’ll have for registered practitioners and the requirement is one You have to have this one person employed that’s a or under contract that there was a practitioner. So we’ll have four, we’re gonna eventually depending on um you know, the business demand for it. We’re prepared to get everybody on our consulting team certified if if the demand is there. Yeah. Sure.

[00:45:35] Evan Francen: Well it’s good. I think even even if you’re not doing the actual R. P. O. Work, if you’re doing beastie, so work, it’s good to know this, right. Yeah add up.

[00:45:48] Brad Nigh: Absolutely. And like I said, I don’t have any evidence of it, but my gut feel is you’re gonna start seeing other organizations within the government and maybe even private entities looking at the C. M. N. C. As hey requirement.

[00:46:06] Evan Francen: Yeah. Well if you if you do it right and you really do make it part of your culture uh you know that’s the most cost effective way to do it. You recover those costs over time. You think,

[00:46:22] Brad Nigh: oh yeah, well it’s like I tell people I’d rather be help you out proactively even if it costs us a little bit of extra hours versus what we thought it would take rather than how do you have an incident six months later and go, well you guys, I didn’t understand what you told me. How does that help? Right. So you know, let’s be proactive and help people be doing the right thing. It’s going to be cheaper a long run.

[00:46:48] Evan Francen: Do you think if our security has any plans to do like a webinar on this

[00:46:54] Brad Nigh: uh you know, I don’t know. Uh Well like I said, I’ve only had this for a couple of weeks. I’m sure we’ll do something around it as things ramp up. Yeah. Um You know I need to work with Alex and marketing on, you know, what what are stuff will be that will come out of that.

[00:47:17] Evan Francen: Yeah. Because just knowing people, you know, be easier we make it for them to find the information and the clear we are in the way we communicate it. I think get better off everybody is going to be because you know, people are going to put it off, you know and they’ll find any excuse to do it.

[00:47:34] Brad Nigh: Yeah. Well and I think I like that knowing that right? I like the fact that they are requiring a significant period of time right? You know and we’ll have to see what that ends up flushing out as. Um but to me I would say at least six months.

[00:47:54] Evan Francen: Right? Well and it would just it always breaks my heart when you sit across the table from somebody and you have to tell them the bad news that you’re not in this case you’re not gonna get that government country right? Why we got we got the best product at the best price. Yeah but you waited too long right?

[00:48:14] Brad Nigh: And you know how many businesses could survive that right That that happens to

[00:48:21] Evan Francen: that. And so that I hate when I sit across the table from somebody in an incident and you know they’re gonna be going out of business, right?

[00:48:32] Brad Nigh: Yeah it’s no fun.

[00:48:36] Evan Francen: No man. So please listen to us. We’ll give you all kinds of free advice. Will be all kinds of free. Anything we can give you for free.

[00:48:44] Brad Nigh: I mean yeah go go fr secure dot com slash resources. There’s a ton of free stuff out there already. Like take advantage of this. We’re here to try and help.

[00:48:59] Evan Francen: Good man. I’m glad that that we’ve we’ve got some authority a supportive knowledge on C. M. M. C. Because I agree with you it’s it’s just going to get more and more popular. Yeah it’s nice to head of the curve a little bit.

[00:49:14] Brad Nigh: Yeah, and I’ll say this, it doesn’t feel like a money grab like some of the other private certifications do.

[00:49:22] Evan Francen: Okay. Trust, what did I say that out loud?

[00:49:25] Brad Nigh: You know, there’s others as well.

[00:49:30] Evan Francen: Yes. See I can think of some more, but when I get it, man, I mean we’ve all got to play well in the sandbox together,

[00:49:38] Brad Nigh: but yeah, I think that this approach aligns much better with our philosophy and how we do things than high trusted, I mean, and that’s the not just being discouraged or whatever towards hydrant, just they didn’t align with our philosophy that happened.

[00:49:56] Evan Francen: I will be disparaging of trust, but you don’t.

[00:50:00] Brad Nigh: There you go. All right.

[00:50:03] Evan Francen: The first yeah, opinion of fr secure any other company that I run?

[00:50:09] Brad Nigh: Yeah. Anyway, I’m just good discussion. We’ll talk to some news real quick.

[00:50:15] Evan Francen: Yeah, man, let’s do it.

[00:50:17] Brad Nigh: All right. So interesting enough, there’s now been a third malware strain discovered as part of that solar winds attack. Uh I know this is now called sunspot, which Attackers used to inject the sunburst backdoor code into the vendors Orion platform without setting off internal alarms. Um It worked Sunspot work by sitting on a solar wind field server monitoring, running processes for instances of msde bill dot dxy, which is part of the uh Microsoft visual studio tools and if it saw Orion was being built, it would hijack the operation to insert sunburst, which is crazy.

[00:50:59] Evan Francen: Mhm.

[00:51:01] Brad Nigh: It’s pretty, I mean this is, it is definitely various, a very very sophisticated, in fact, there’s no question about that.

[00:51:10] Evan Francen: Yeah, it’s it’s state sponsored and yeah, man, I mean there’s some serious resources behind this one.

[00:51:17] Brad Nigh: Mhm, yep. And I guess it has been attributed to Russia at this point.

[00:51:24] Evan Francen: Well, you know what I was telling, oh this was another conversation that came up in that with well, geysers was you know, about solar winds and uh I posed the question like who is the best, who’s the best in the world at chess? They say, well, the Russians, so this is a chess game.

[00:51:49] Brad Nigh: Mhm. Right,

[00:51:51] Evan Francen: it’s they’ve already anticipating our moves. It wasn’t a mistake that fire, I found it, they did, the Russians didn’t make a mistake,

[00:51:58] Brad Nigh: no,

[00:51:58] Evan Francen: they intended for fire I to find it so that we would we would do their next move.

[00:52:03] Brad Nigh: Yeah, I would I would agree that that’s a very much a realistic uh take on it.

[00:52:12] Evan Francen: Yeah, it’s crazy, man, there’s more to come on that, I’m sure

[00:52:16] Brad Nigh: oh yeah, this is going to be, I think it’s going to be probably, I mean, it may be years before we truly know everything, I would say that it’s going to be months before we have a at least a good handle on it.

[00:52:31] Evan Francen: Right, And you know, and the thing is in those years that it takes for us to get a handle on this one There will have already been two or 3.

[00:52:39] Brad Nigh: Yeah. Yeah

[00:52:43] Evan Francen: losing ground brother.

[00:52:46] Brad Nigh: So um next one is off. So that was often for information security magazine dot com. The next one is from naked security by cell phones, google tightens security keys hacked by french researchers. So google titan key. This is like a wiki. So you don’t have to remember passwords and makes things more secure and you don’t you know basically um gives different data for authentication every time there’s a you do it um So that’s good. However they figured out a way to um breach it for electromagnetic snooping. So you know it’s not a very practical attack. You know you have to have Very specialized equipment that they say costs about $10,000. You know you have to have um access to the key. So you know and if you open up the key it’s going to be pretty well. Uh huh destroyed. They need to have um you know they had to heat up the key with a heat gun so they can open it. Then you need a purpose of chemical to actually dissolve the plastic coating on the secure chip inside. Um You know and then you have to perform 6000 digital signature calculations inside the chip to collect enough data Which takes about six hours. So you know the biggest thing would be you know, is there a full is there a significant risk to this realistically? Probably not, but it’s I think, you know, it’s something that hopefully they fix in future releases of these keys.

[00:54:49] Evan Francen: Yeah, yeah man, it’s like most of these, you know the first the initial attack does require all the instigator equip and everything else, but Mhm.

[00:55:00] Brad Nigh: Uh oh looks seven

[00:55:03] Evan Francen: two the story where you know, it would be good for them to fix it. Oh

[00:55:16] Brad Nigh: oh are you back?

[00:55:18] Evan Francen: It’s a mexican wife, yeah mexican wifi.

[00:55:24] Brad Nigh: Yeah, you know, it happens last year, we blamed it on uh was it fortnight this year? It’s among us, all the people using it.

[00:55:33] Evan Francen: Well there’s not even anybody here, it’s just you know, happy mexican topic,

[00:55:37] Brad Nigh: but yeah, like you like you were starting to say cut out, but the first proof of concept, it requires all this stuff, but once that proof of concept is out there, it’s only a matter of time before somebody figures out it takes it and makes it so that all these additional steps aren’t required.

[00:55:55] Evan Francen: Exactly, they make the attack factors a lot more efficient, yep,

[00:56:01] Brad Nigh: no uh

[00:56:03] Evan Francen: Could find on that one,

[00:56:05] Brad Nigh: we have thought that was pretty interesting. The last one I have is on Krebs on security seal, the US court records exposed in the solar winds breach. Um Judicial branch said it is now deploying more stringent controls for receiving and storing sensitive information uh following the discovery that its own systems were compromised. Um So yeah it looks like there were, that could be, I can’t imagine what is in some of the sealed court records and you know, who does that open up for blackmail or other things. Uh, and not to mention, you know, just the public impact or public relations hit of, of something being released.

[00:56:55] Evan Francen: That’s true. Yeah, I’m not exactly sure what’s stored in those systems but I do know that in my own work with lawyers and keeps is a lot of non confidentiality agreements and all kinds of other things confidence and

[00:57:18] Brad Nigh: yeah, it said uh, they’re working with homeland security but the case management, electronic case files greatly risk compromising highly sensitive non public documents, particularly sealed filings. So you know, what does that exactly mean? You know, could that be evidence and whatever? I sure who knows. But this would definitely be, there’s probably a lot of really information, you know, like I said information that could be used for um blackmail or or other purposes. So fun times there. Um, and then the third one I put in there is that is from information or fourth one with information security magazine, two thirds of employee security at home. So you know, we’ll get those links out. Evan has lost his wife I, so With that I think we will go ahead and wrap up episode 114 of the uh UN security podcast. I have to pull up my notes to make sure I get all the correct information here at the end as I stall, see if I can get makes it back. Um

[00:58:33] Evan Francen: I think I’m back.

[00:58:34] Brad Nigh: There we go.

[00:58:35] Evan Francen: Alright man, walking by me.

[00:58:39] Brad Nigh: Any uh

[00:58:40] Evan Francen: shout out for you? Mm I’m going to give a shout out to shoot man, there’s so many good people. Uh Damn it, I’ll give a shout out to you. No, thank you. Yeah, I’ll give a shout out to you because I think you’re doing good stuff now. It’s neat that you’re leading the C. M. M. C. I’m excited to get this book done with you. Yeah, I just really like all the stuff I see for you and stuff and I’m glad you’re labyrinth. Itis is pretty much gone and get back to me,

[00:59:12] Brad Nigh: yep, basically one week left to clear for sure. Haven’t had an issue for them three weeks, 4 weeks, so Saviors Frost. Um I think for me it’s all the consultants that volunteered to do the registered practitioner training. I know there was more the three that were selected, you know, victoria, Ryan and Sean shout out to them for going through that as well and being um you know, willing to do that and take on new things, but it’s not up to the others that also volunteered and we’ll get them certified as well. All right, so that will be it for episode 1 14. Thank you to all our listeners. You consider things by email at UN security at proton mail dot com. You’re the social type. You can socialize with us on twitter. I’m @BradNigh and Evan is @EvanFrancen. And lastly, be sure to follow security studio @StudioSecurity and FRSecure @FRSecure for the more things that we do. That’s it. And we will talk to everyone again next week.