Getting CMMC Ready: A C3PAO’s Perspective

Patrick Spencer:
Hey everyone, this is Patrick Spencer. Welcome back to another KiteCast episode. I’m here with my cohost, Tim Freestone, the CMO over at KiteCast. Tim, how are you doing this morning?

Tim Freestone:
Good. How you doing, Patrick?

Patrick Spencer:
I’m doing well. It’s a Friday, so we’re excited to wrap up another highly productive week. Uh, Tim, we’re joined today with a special guest, uh, Chris Rose. He’s a partner over at ARI. And toe a leading B2B cybersecurity, IT and compliance service provider. The team specializes in delivering best in class technology solutions that are secure and regulatory compliant in his spare time, Chris serves as an instructor at UCLA. where he teaches a course on cybersecurity and privacy for managers and professionals. His areas of expertise include cybersecurity maturity model certification, which is a hot topic right now in the marketplace, obviously, the DID regulatory compliance, among other things specific to the federal government. Chris holds an MBA, a master’s in computer science from UCLA, as well as a bachelor’s degree from Cal Poly. So Chris, we’re really excited to talk to you. We’re looking forward to getting your insights into what’s happening with CMMC, but some other things in regards to the regulatory space. So thanks for your time.

Chris:
Yeah, likewise, Patrick, Tim, appreciate you guys having me on and look forward to it.

Patrick Spencer:
So we were talking about this before we kicked off the podcast. You’re your organization’s a C3PAO. Sounds like something from Star Wars. If you’re not familiar with the team, MP space or

Chris:
Yeah.

Patrick Spencer:
regulatory space in general, you know, what is one and how do you become one?

Chris:
Sure, yeah, so it’s C3PAO stands for CMMC Third Party Assessor Organization. And really they stole it from FedRAMP, which I know you guys are FedRAMP authorized, so you’re familiar with kind of the C3PAO model, but with all the new CMMC stuff, you know, the big change or one of the big changes is there’s, the government’s not just gonna take, you know, defense contractors words for kind of what we call the self-assessment model, self-reporting. They’re going to have independent third party assessors come in. And so as part of that, there’s a whole ecosystem they’re building out and, and you have to get authorized by the, by the DOD and the cyber AB, who is the, kind of body that’s going to manage the entire assessment process for, for the entire defense industrial base. So the process is really, you apply, you have to go through kind of an entire background screening, you know, make sure U.S. company, there’s not. some sort of foreign malicious interest. And then we actually had to go through an assessment with the DOD’s Cyber Security Assessment Center called the DIPCAC. So we had to go through a CMMC level to certification assessment equivalent with the DOD to be authorized after we got through all the screening and everything to be able to go out and do the same assessments to their contractor base.

Patrick Spencer:
So tell us a little bit about Ariento. The company’s been around since 2014. You’re a partner there, I believe, the founder or co-founder of the organization.

Chris:
Yeah, we, I mean, so we’ve got really two sides of our business. And we’re, most of us are former military kind of federal government contracting. So kind of the CMMC stuff was a natural fit for us. Um, but one side’s our managed services side of the business geared more towards kind of the SMB market. Um, in the case of CMMC, you know, uh, SMB, you know, government contractors, which is a lot of the defense industrial base is less than a hundred employees. Um, And then the other side of our business is more of kind of an upmarket, kind of larger enterprise size clients to midsize. And that’s more of a traditional consulting kind of, you know, and that’s the side that is the C-3PO doing a lot of the assessments. So kind of the managed services side is the, hey, we’ll help you achieve the compliance and go through the assessment with you. The advisory and consulting side is the going in and actually doing the assessments. And we think the synergies work. work pretty well in terms of being on both sides.

Patrick Spencer:
And you guys have been probably super busy for about the past year or so with the OMB announcement from what’s been three weeks, four weeks ago. Maybe be helpful to give the audience a little update on what that means. But have you seen an uptick in business in the last three weeks after OMB

Chris:
Hehehe

Patrick Spencer:
said you have 60 days perhaps before you need to comply?

Chris:
Yeah, well, so the CMMC journey has been an interesting one with lots of ups and downs as I’m sure you guys know. So we are now back in an uptick, right? So it’s the CMMC 1.0, then the interim rule, then they pull back the interim rule, then CMMC 2.0, then rulemaking getting pushed out, and then all of a sudden kind of they come out of nowhere last month, like you said. and they submit the rule finally to the Office of Management and Budget. That starts the clock, like you said. And so with that, there’s 60 days, 90 days that can extend it 30 days. But basically, by the end of this year, we should know if OMB has either sent the rule back to the, you know, approved it and sent it back, it’ll go through public comments and everything, but send it back to the DOD to implement kind of how they see fit. Or if there’s some reason. that it doesn’t align with kind of like the president’s objectives and stuff, they could reject it, send it back to the DOD, the DOD would have to resubmit. So bottom line, beginning of next year, we should have a pretty good idea if this thing’s back in the DOD’s hands to kind of roll out, you know, as they see fit.

Tim Freestone:
So to your point, though, it could go back and we’d be just waiting again, right?

Chris:
It could,

Tim Freestone:
That’s…

Chris:
yeah. Yeah, I mean, I think it’s, so we’ve been through, I mean, with this journey, and it definitely has been a journey, right? There’s been administration changeover that it’s made it through. And I think, you know, I’ll speak personally for myself. I think the take here is that cybersecurity is one of those, you know, not very polarizing topics, right? Kind of everybody’s kind of behind it. I think this is something that, you know, this is following on. the DFAR 7012 requirement to assess against the necessary 171. So it’s not new, it’s just kind of adding that inspection arm, it’s also breaking it into kind of multiple levels to be a little more reasonable for certain contractors. So I think, our thought is, yes it is the government, yes it is taking time, so there’s lots of ups and downs, but I do think that the support is there and. I would be surprised at this point if they say it doesn’t align with the president’s objectives because that’s really the reason that they’d kick it back. You look at what’s coming out of the White House these days and it is a lot of software, cyber security, supply chain cyber security. It seems like we’re getting closer to the finish line, but you never know. It’s the federal government.

Patrick Spencer:
How about

Tim Freestone:
Yeah.

Patrick Spencer:
Rev 3, right? Is that going to mix things up? You know, what’s the status there? What do you expect to see happen?

Chris:
Yeah, so one of the things, I mentioned that there is a current requirement, right? So the DFAR is 252.204-7012, right? The beauty of the federal government is everything has to be in writing, and if it’s not in writing, it doesn’t really exist, right? And if you can find something in writing, you can make an argument for anything. So back, this was about 2018, January 2018, I believe. the DOD started rolling out this DFARs clause in their contracts, which essentially said, you know, if you, if we, if we think we’re going to be giving you controlled unclassified information, which is what most of this is all about, right? And controlled unclassified information is just, it’s proprietary information that the government marks, right? It replaces the old FOUO, if you’re familiar with that program, Obama kind of did that to replace it. But it’s no different than, than then KiteWorks saying, hey, we’re gonna have this partner and we’re gonna put a contractual obligation in it that says if we label anything proprietary or sensitive or however you guys wanna label it, we want you to do these things to protect it, right? And so that’s what this is all about. So there’s a current standard right now. It’s just a self-attestation standard, number one, right? Number two, it says, so you have to do an assessment against yourself. You have to report your score to the government so that they can see it on record, which kind of sets you up for we’ve started to see. We started to see companies be pursued under the False Claims Act, right? If they do report a score that’s maybe not correct. You have to, if you’re using the public cloud, right? This matters for you guys for sure, your customers, and I know you guys are FedRAMP moderate, but you have to be using a FedRAMP moderate or equivalent cloud service provider. And then there’s some reporting requirements in there if something happens where basically the DOD can come in and take all the evidence. So that’s kind of where we are now. And that is all based on NIST 800171. Right now it’s Rev 2, so getting back to your question. That, you know, and that’s been in place since, like I said, January 2018, so this is nothing new. When CMMC came along, you know, really what they were looking to do was add the inspection component. This is no longer a self-reporting attestation, right? We’re going to have somebody come in and look at you. And they kind of broke up NIST 800171, the controls, you know, to say, hey, you know what, if you’re just a landscaper on Camp Pendleton, you know, we’re not going to give you control and classified information. So maybe you only have to do like the 17 controls, right? So

Tim Freestone:
No.

Chris:
so but when the DOD so they came through with CMC 1.0 and then with 2.0, really what they did is they signaled and actually said it. Hey, we’re going to align. We think that CMMC or something like it is something that could be a federal government standard, not just starting in the DOD. So we’re going to better align with the federal government. And the federal government is, you know, National Institute of Standard Technology putting out these publications. So I think, you know, to get back to your question, yeah, Rev3 has come out, it’s had its period of comments, now they’re taking it back for kind of revision and looking at it. I think that’s just something where, you know, that’ll just be the updated standard. It’s not terribly different, a little more focused on supply chain, but it aligns well with CMMC and kind of the vision of, hey, they’re gonna point to NIST for these security controls.

Tim Freestone:
So right now you’re, I’d imagine in your role, you’re sort of consulting, advising. You’re not assessing yet, correct? Because the rule isn’t final.

Chris:
So we are doing what are called joint voluntary assessments

Tim Freestone:
Okay.

Chris:
with the Dibcac, so with the DoD Cybersecurity Assessment Center. So the same folks that, you know, same group, at least that assessed us to be able to come and authorize C3PO, there’s a pilot period right now where we will go into, for companies that wanna volunteer to do this, we’ll go in and lead an assessment with the DoD there as well. And it’s kind of a… Two for one is the wrong term, but I think that’s the thing that people understand the most. What it is, is it’s technically a NIST 800-171 assessment. Again, same security controls, right? And the DIPCAC will report and give them a score and report that score to the supplier performance readiness system, right? So they’re going to get under the current world that we live in, they’re going to get that NIST 800-171 assessment. At the same time, because we’re leading the assessment, we’re doing it from a CMC level two standpoint, which again, very similar and the idea this isn’t this hasn’t been Formalized yet, but the idea that the DOD has said, you know that what they’re looking to do in the final rule is Anybody that went through one of these if you passed Will essentially immediately get that CMC level 2 certification

Tim Freestone:
grandfather

Chris:
when the

Tim Freestone:
in

Chris:
rule

Tim Freestone:
the kind

Chris:
comes.

Tim Freestone:
of deal.

Chris:
Yeah when it gets published,

Patrick Spencer:
So

Chris:
so

Patrick Spencer:
they’re

Chris:
it’s

Patrick Spencer:
all

Chris:
kind

Patrick Spencer:
set

Chris:
of

Patrick Spencer:
from day one. Yeah.

Chris:
Yeah, so the answer your question Tim. We are doing assessments. We’re just doing it with the DOD and it’s under this different kind of regulation, but should translate to kind of the first CMMC assessment.

Tim Freestone:
And if it doesn’t, I’d imagine even then it’d be a lot speedier assessment under the final

Chris:
Yeah.

Tim Freestone:
rule.

Chris:
I mean, look, there’s risk with all this stuff, right? Because it’s the government and they have changed on this journey. I think, you know, we try and tell our clients, we’ve put some even some contractual language in there that says, Hey, look, our, our intent is to is to roll this thing over, you know, in line with what the DOD said, obviously, if something comes out that changes the way that has to happen, you know, we’re gonna do right by you as much as long as nothing’s changed with the scope standpoint, right? Like, essentially, this is kind of our, we’re calling our CMC early bird assessment program, we’re essentially saying, hey, we’ll come in and do the assessment again at no additional cost because it wasn’t your fault that the DOD changed their mind, right? As long as there’s not like a substantive change to where it’s being scoped differently or something, and we do have to do a lot of rework, you know, yes, I think it will be a pretty quick, you know, follow-up assessment and that’s kind of how we’re treating it.

Tim Freestone:
Got it. Makes sense.

Patrick Spencer:
Another great opportunity. So you’ve been talking and assessing a number of different organizations. Are there any trends or is there a coalescence around certain areas that organizations are struggling the most with? Have you seen anything there?

Chris:
Um, yeah, I mean, it’s, it’s interesting. I think,

Patrick Spencer:
without

Chris:
I

Patrick Spencer:
naming

Chris:
think,

Patrick Spencer:
names.

Chris:
yeah, no, no names. Well, and, and organizations are at all different places in their journey. For sure. I think one of the things that we see that is a very basic fundamental, um, is, is actually scoping, right? And so the scoping guidance is out there in terms of how you categorize your assets and what is in scope for the assessment. Um, and, and a lot of times what we find is. you know, organizations or, you know, in general, we’ll want to just jump straight to kind of the, well, let’s identify the gaps or let’s remediate or let’s assess, right? And it’s like, well, actually, what we found is just a lot of them don’t actually have the right scope and know their scope, right? And so how can you, we can’t assess it until we know all of the people, all of the places and facilities, all of the systems that are in scope, and more importantly, all the ones that aren’t in scope that we don’t have to look at. And so I think It sounds very basic, but I think for a lot of organizations that we go into that aren’t living and breathing this stuff every day, scoping exercises is actually the most important part and trying to kind of skip that just leads to a lot of rework and going back.

Tim Freestone:
Yeah.

Patrick Spencer:
I was going

Tim Freestone:
So…

Patrick Spencer:
to ask you how to prepare for one, but you answered that question right there. Figure out the scope before you go engage the C3PAO. It’ll make the process go immensely faster.

Tim Freestone:
What’s the, from your perspective, the general tenor in the D I B right now, in terms of how seriously that by and large they’re taking this now going to the OMB or are they, you know, is anything changing? Are they, cause I was talking yesterday with, um, uh, a consultant for manufacturers, similar to you, but not, not as DC three PAO. And basically a lot of it, he said a lot of them are just weighing. It’s like bean counting. It’s like, well, It’s going to cost us this much to be certified. We have this much of contract. It’s going to be this much of a fine and just sort of like, what’s the cheapest path here because we have, we have options, you

Chris:
Yeah.

Tim Freestone:
kind of see that as well.

Chris:
I mean, we definitely, especially in the S and B market, we see a lot of like shopping early to try and figure out how much are these assessments going to cost, right? I mean, at the end of the day, the DOD is going to foot the bill for all this stuff, right? Assuming they get on the contract, the DOD is going to end up paying more on these contracts. And I think they know that.

Tim Freestone:
Mm-hmm.

Chris:
But yeah, we see some shopping. I think with the rule going, you know, in the past three, four weeks, we have seen an uptick in in inbound, right? I mean, this entire I mean, we’ve been going four plus years now, it has been a constant like, you know, peaks and valleys in terms of pipeline and immediacy. And the prime, you know, at first, it was the you know, the DoD got the prime contractors to really, you know, put a lot of information out there and kind of push their subs, right. And I think from a prime standpoint, right, if I’m a if I’m a Lockheed or a Booz Allen, or somebody that’s, you know, one of these major big players, I mean, it’s a serious risk if your supply chain doesn’t certify and can’t now. You know, you’ve got to find there’s only so much so many suppliers with a lot of this stuff, especially with some of the other requirements around US sovereignty and things like that. So I think at first we saw the Primes pushing it and they’re still pushing it because they want to make sure that most of the most of the defense industrial base is small businesses. But I think. I think, Tim, your sentiment is the right one that we see. We see one of two things. We see, for those that are primarily defense contractors, I think they’re just not messing around and they’re like, hey, something’s coming, right? This is all aligned. I’m gonna have to do this. Like, I’m gonna do the stuff at least that I know I have because this is an out of business risk for me if I all of a sudden can’t get contracts because

Tim Freestone:
Mm-hmm.

Chris:
I don’t have certification, right? And some of them are even viewing it as a competitive advantage. Can I get this certification first? So therefore my competitors, when I’m going after a contract, they actually can’t bid on it yet because they’re not certified. I think on the flip side, for those that maybe have a commercial business or maybe they’re federal government contractors, but the DOD is only whatever chunk it is, I think they’re taking the more kind of risk appetite measuring the cost benefit analysis approach in terms of what… when is the right time to jump in on this and really commit to the costs and the burden that comes with doing this?

Tim Freestone:
Mm.

Patrick Spencer:
Are those Primes Criss beginning to put the screws to their subcontractors? Cause they know they need to get their house in order, just not themselves, but the subcontractors are working underneath them or any to comply as well. Are they putting them through

Chris:
Yeah,

Patrick Spencer:
the pages?

Chris:
yeah, I think I think what we see a lot of is questionnaires, right? So the primes, the reason the primes care is because in their contract with the government, the DOD, right? I mentioned that DFAR 7012 clause for CMMC, it’s going to be 7021, 22, whatever. They have a requirement to flow down the exact clause, the exact requirements to any subcontractors that are going to process, transmit, restore, control across their information. So So it’s actually a contractual obligation for them to flow down this clause. And what we see a lot of is, again, this isn’t not in place, it’s just a self attestation. So DFAR 7012 and this data 171. So we see a lot of questionnaires around asking them to put on record, what is the status? Have you done this? What is your score? And then ultimately, That’s how we see a lot of primes, kind of almost like a, I don’t want to call it a CYA, but it is a little bit to say like, hey, we want to make sure that you guys are taking this seriously and you’re going to have to answer these questions. The other thing that I think is driving some of this for the primes and ultimately small businesses is when the DOD, when they pulled back the interim rule for CMMC 1.0 and they rolled out CMMC 2.0, they also rolled out. DFAR 1719 and 20, right, which requires contractors. So today, before you can be awarded a contract, you have to have, you have to report your self-assessment score, right, or if you had somebody else do it, fine, against NIST 800171, you have to report it to the Supplier Performance Readiness System, SPRS. And, you know, if you look at, you listen to the attorneys and stuff, there’s not a lot that the DOD can do with that score right now necessarily, except, Every company is now putting on record their self attestation, right? And if something were to happen or whatever, right? Like what we’ve started to see is, is companies be pursued under the false claims act, right? So this is kind of the in-between world where it’s like, yeah, we’re, when they pulled back, see them, MC to say, Hey, we’re going to, we’re going to take a little more time with this. They also did put a mechanism out there to say under the current world, you still have to be doing all this stuff. And oh, by the way, now we’re going to make you put on record. And I think, you know, back to the question, I think the primes. And some of the subs that’s become something that, you know, they don’t want to report a bad score, right? Like a negative score, but they also don’t want to lie because they want to set themselves up for liability.

Tim Freestone:
Hmm.

Patrick Spencer:
Now you saw the assessment from CyberSheath where the majority think they’re compliant, but in reality, based on the assessment from the DOD, they aren’t. So that the False Claims Act is going to come into play, it sounds like, or folks need to take it seriously. Is it just they’re unaware that they have those gaps in their environment or are they prematurely reporting that they’re compliant? What’s driving that, do you think?

Chris:
You know, I mean, one thing that I think is relevant here is that, and this is a, this is a problem with the, the assessors as well. Like, you know, we have a, we have a cyber security, like talent problem to begin with, right?

Tim Freestone:
Yeah.

Chris:
Like a bench in education, right? So, so in terms of technical talent, right. That can, that can do this stuff. And so I think, I think one of the things is just like, you know, it’s a big burden for especially a small business, right. to do this and then how, there’s only so many folks out there that really know what they’re doing, right? And that’s growing, right? That’s part of the mission of the Cyber AB and a lot of this stuff is to build this talent base, right? But I think, you know, if you don’t have somebody really good who’s telling you, you know, who knows this stuff, right? It’s like finance, right? I think cybersecurity really is kind of becoming the new finance in terms of like, We’re starting to have audits, right? Starting to be reporting. You know, as a business owner or board member, you’re expected to understand the financial stuff, even if that’s not your area of expertise. I think what we’re starting to see is a shift towards them having to understand cybersecurity a little better than they do. And that shift’s just gonna take time because it’s not a skillset that a lot of people have right now.

Tim Freestone:
Yeah, that’s, and that was kind of what I was getting at earlier is a lot of companies are just looking at the burden and sort of making the decision whether the burden is worth, is the juice worth the squeeze or do we just, you know, uh, risk, um, the fine or risk the business because, you know, it’s more expensive and more painful the other way.

Chris:
Yeah, well, and the thing with CMMC, at least if they stick, again, we’ll see that they’ve been the final rule is, this is actually not gonna be punitive. It’s not like ITAR, right, which is a fine, right? There’s fines in ITAR, which can be pretty significant, but CMMC, it’s a sorry, you cannot get on this contract, right?

Tim Freestone:
Right,

Chris:
So

Tim Freestone:
you

Chris:
it,

Tim Freestone:
lose the contract.

Chris:
yeah, and so you, or you, yeah. So I think it’s, it’ll be

Tim Freestone:
Isn’t

Chris:
interesting.

Tim Freestone:
there fines if they say they are and they’re not? There’s, I can’t

Patrick Spencer:
That’s

Tim Freestone:
remember

Patrick Spencer:
the false

Tim Freestone:
what that

Patrick Spencer:
claims

Tim Freestone:
was.

Patrick Spencer:
act, I think, that

Tim Freestone:
Paul’s

Patrick Spencer:
Chris

Chris:
I

Patrick Spencer:
mentioned.

Tim Freestone:
claim

Chris:
think that’s

Tim Freestone:
back.

Chris:
where you’re getting to the false. Yeah. So, uh, Rocket Aerodyne was the big first one to kind of, I mean, false claims has been around a long time.

Tim Freestone:
Long

Chris:
It just wasn’t

Tim Freestone:
time no.

Chris:
typically used for cybersecurity

Tim Freestone:
Great.

Chris:
and, and now you’ve started to see them under cybersecurity, you know, go at the DOJ, go after companies, um, for, for false claims related to cyber.

Tim Freestone:
Right. And that’s what, that’s kind of what I meant with the, the fines. It’s sort of make the claim and if we get fine, at least we got the business, you know, it’s stuff like that. It’s just, there’s a lot of balancing in people’s brains right now in the DIV on what’s, what’s the least expensive path to outcome, you know?

Chris:
Yeah. Well, and to be fair to them, I mean, again, they’ve, they’ve followed this journey like we have with

Tim Freestone:
Right.

Chris:
all the starts and stops. And, and I think it’s, it’s a balance, you know, it’s a, it’s a risk calculation in terms of, of when you, when you start and, and what you do and how you do it. And, um, each company has got to make that decision for themselves.

Tim Freestone:
So we spend a lot of time, obviously for good reason, talking about level two, anything going on with level three or just not, you’re not thinking of, because the other day on LinkedIn, this group,

Chris:
Yeah.

Tim Freestone:
CMMC 2.0 information released an assessment guide for level three. It was like 85 pages. And I’m not sure if that was, it couldn’t have been fake, but we just can’t, it looks like a draft and help us understand what’s going on right now.

Chris:
Yeah, I mean, so level three, the main difference between level three and level two is level three, the DOD is actually going to assess. So that same Dibkak who assessed us, they want to reserve the right for certain high-priority key supply chain partners to come in and say, you know what, we’re going to do the assessment. There hasn’t been a ton of information on that because I think this is my analysis of it. With 1.0 and then pulling back to 2.0, I think what the DoD has said is, hey, we got to focus a little bit here on getting something out and start iterating on it. And one of the things that they kind of did is they said, hey, look, 3.0 is, it’s going to be us with the DoD, right? So it’s less about the whole ecosystem and we’ll get there. And they kind of punted that back. Nobody’s seen what the final rule looks like that’s at OMB right now. So maybe there is some stuff in there about it. You know, I think from, from what we’ve, you know, we’re, we’re in, we’re in meetings with the cyber AB every Friday, right? DoD joins from times to time. There’s different groups to see through videos talk about. We all go through different, you know, we’re, we working with the DoD in terms of these joint voluntary assessments, right? People hear different things until we see something in writing. I think, you know, with a grain of salt, but, uh, I think the focus right now is really on the level two stuff and getting that out.

Tim Freestone:
Yeah.

Chris:
Um, but, but who knows.

Tim Freestone:
Yeah, that’s the who knows is pretty much the sentiment across the industry right now. How, in terms of C3PO’s, how big is this ecosystem now? Are we talking hundreds, thousands of people? You know, you know what choices the DIB has at their fingertips?

Chris:
Yeah, at last check, there was like somewhere in the 40s. You know, that could

Tim Freestone:
Okay,

Chris:
have gone

Tim Freestone:
of course.

Chris:
that could have gone up since,

Patrick Spencer:
Not many.

Chris:
you know, a few weeks ago when I checked. Yeah, well, and I think that’s I mean, we mentioned if this thing goes through OMB, they give back to the DoD to roll out. I think that’s that is one of the big challenges of this for the DoD is how they’ve said they’ve said, Hey, it’s gonna take five years. Right. But but how do you roll this out in a way to where you don’t create a supply problem? right? So there’s only there’s only whatever, let’s say there’s 50 C3BOs, but there’s 20,000 that need an assessment, you know, in the next three months, right? Like, like, the cost is going to go way up. Ultimately, the DOD is fitting, footing that bill, right? And so I think that is a real challenge that I imagine they’ve been thinking quite a bit about, you know, when they do get the rule back, how are we going to do this in a measured way? And I mean, the other thing, which I think is, is why a lot of the push from everybody to start now and get going, right? And then the primes, and this has been going on for four years is, if you have a lot of failed assessments that takes folks out of the supply chain, right? You’re just creating even more of a supply problem with C-3VOs, cause they’re the only ones that can come back, they’re gonna have to reassess, right? Or they’re gonna have to do the Delta assessment, you know, if they go into a poem or something like that. So the practical rollout of this is no small challenge. And I think it’ll be interesting to see how they go about it.

Patrick Spencer:
So

Tim Freestone:
Interesting.

Patrick Spencer:
if you’re looking for a C3PAO, what types of things should a company ask? You know, what do companies typically ask you when they’re vetting you as an option?

Chris:
Yeah, I think… You know, I think one of the things that they care about is, at least on our C3PO side of the business, we deal more with kind of the mid to large organizations. And I think some of the things that they look at is, you know, this, I mentioned, let’s just say, there’s 50 of us C3PO’s right now. There’s kind of three types of companies that are C3PO, right? There’s like the kind of the mom and pop kind of small, like, or maybe it’s just one person and maybe they use contractors and, you know, and they’re… some of those are really good assessors, right? Like they really know this stuff, maybe they used to work, but they’re limited in terms of their kind of their capacity and their experience is what it is, right? You don’t have multiple people kind of building to an experience pool. Then you’ve got kind of the bigger player, right? Like your more traditional kind of bigger consulting firms, which we’ve actually worked and seen a lot in that they, let’s take a Deloitte or a… Booz Allen or Accenture, for example, right? They’re your more traditional consulting. They’re gonna have these arms. They do FedRAMP, that kind of stuff. This is just a business line added to them. And they’re just, they’ve been doing this stuff. And then you’ve got kind of the middle thing, which is where we fall, which is, we’ve got a lot of those big business people that are now on our team doing this. And we think that we’re providing that same quality, but at a middle price. But I think that the… You asked what they’re asking about. I think for the ones that we are going into, which is more the mid and large size, right? Or academic organizations, things like that. Risk is probably the biggest thing to them. You know, yeah, price always matters to an extent, but this is so new. It’s new. They want to lower their risk from an assessment standpoint. as much as possible, right? They don’t want somebody in there that doesn’t know what they’re doing, right? That doesn’t have the technical aptitude to understand the complexity of their environment, right? Especially you start to get into some of these academic organizations or larger ones, like it gets really complex, really fast, just to figure out scoping. And so I think, you know, proving your technical aptitude and like, hey, I get this, I get this, I get what it’s like to have a large complex organization that does commercial business, federal business, DOD business, this kind of stuff. And then also like, you know, the experience to say, hey, I believe that you’re gonna you’re gonna assess this correctly and we’re not gonna end up in an adjudication situation where we’re having to kind of push back and this becomes a business risk for us and it didn’t have to. So I think for us, it’s that. I think at the small, you know, we still, I mentioned on the managed service side, we deal with a lot of, you know, the SMB. I think for them, a lot of it is price shopping. I think a lot of it’s price shopping.

Patrick Spencer:
No, which makes sense. Now you guys do more than just CMMC when it comes to third party assessments. You do ITAR, you do ISO, maybe SOC, you know, talk a bit about that side of the business and what you’re seeing there.

Chris:
Yeah, I think we have our team, our folks, right? Like are all have all assessed in other standards. That was just a decision that we made that we want. We want folks that have are really experienced in cybersecurity assessments and doing this, which has helped, I think, in terms of as CMMC evolves and we’re on the CAP working group and providing feedback and stuff like that. Because because a lot of this, you know, you don’t need a FedRAMP, right? Which you guys are intimately familiar with. Let’s not reinvent the wheel if we don’t need to reinvent the wheel. There’s things that work in these other assessment things. I think what we’ve seen is the reciprocity conversation is a really interesting one. Hopefully that comes out with a final rulemaking. You know, the DOD has said have has. said the intent is for there to be reciprocity with FedRAMP, at least, what that looks like, TBD. But I think every other standard, especially the commercial ones that aren’t backed by a government organization, so the high trust and stuff, they are chomping at the bit to get reciprocity with CMMC and the DOD and the federal government because it legitimizes their standards, I think. So what we’re seeing is… Um, all this stuff is, is not exactly the same, right? Is there different flavors, but security controls are security controls. Evaluating them is evaluating them. Um, and I, and I think, you know, hopefully the, the different. Bodies that, that support these can’t can come up with some reciprocity arrangements because, you know, as fun as mapping security controls is and trying to say, prove equivalency and all this stuff, it’s, it’s a lot of effort, um, for something that, that probably could be figured out. in a room if they got together and hashed out.

Tim Freestone:
Well, I guess we’re all just sitting on our thumbs here for a couple more months and see what happens.

Chris:
Yeah.

Tim Freestone:
But to your point, I think we’re at the end of this run in terms of indecision, right? Because the Biden administration, it’s almost like they got a printing press for requirements right now in cybersecurity and executive orders. And this just falls. falls right in line so

Chris:
Yeah.

Tim Freestone:
hopefully.

Chris:
And you’ve seen, I mean, who was it? It just was a Homeland Security or a Department of Health just came out with a Cui protecting Cui thing, right? There’s C2M2 is a new one. So I don’t think this is going away. You know, the federal government cares about protecting information that they consider proprietary and labeled controlled, right? In this case and give to their contractor base. And so how that evolves, you would have to imagine, or you would hope that, that all the agencies, I mean, Cui control the classified information ended up itself. is managed at the National Archives, right? And each agency has to have their own kind of Kui program, CUI program. You would hope that the same thing in terms of like protecting it and frameworks and models that they end up aligning too, so you don’t have each agency having its own flavor. And I think that will eventually happen. It’s just a matter of how quickly.

Patrick Spencer:
The entire government supply base is at risk, just not the DIB to your point. You can see the applicability of this standard across

Chris:
Absolutely.

Patrick Spencer:
the entire.

Chris:
And a lot of the dib also works on other federal contracts, right? Like so make it easy for them to not, don’t make it more of a burden to have to comply with two different flavors of the same thing essentially.

Tim Freestone:
Yeah, exactly.

Patrick Spencer:
You

Tim Freestone:
Good.

Patrick Spencer:
spoke about FedRAMP. There’s one last point on that. I know we’re about out of time, but it’d be interesting to get your perspective in terms of you’re seeing various tools that are used by the different contractors who are coming to you for assessments. You know,

Chris:
Mm-hmm.

Patrick Spencer:
having FedRAMP moderate, does that help? You know, what’s the, you know, those who claim they have FedRAMP equivalent. Is that really the case? Is that a problem? What’s your perception?

Chris:
Yeah. So I mean, and this is going back to what we said. This is a requirement today. I cannot stress that enough, right? If you, if, if defense contractors have the defar 70 12 clause in there, it says, if you are processing, transmitting or storing, controlling classified information, right in the public cloud, right. Um, so Microsoft, kite works, you know, all, all of the above zoom, any, any of that, right. Um, that you have to, it has to be fed rent, moderate or equivalent, right? And, and so if you, if you are doing that as a contractor, it is a no brain and you want to continue to use the public cloud, right? Like it’s just a no brainer. You got to do it. It makes no sense. The equivalency thing. So yeah, you can go out and have a FedRAMP 3PAO, you know, do an equivalent assessment to you and give it to you. Right. Again, we’ve yet to see what reciprocity will look like. And if that will even, if that will even be taken by the government, right. Because. because they’re not, you guys went through the FedRAMP process, right? There’s the 3PAO involved, but there’s also A2LA, which is, and the FedRAMP 3PAO that accepts all of these assessments, and the agency that’s sponsoring you, right? So the government has a body that is regulating those assessments and approving them in the FedRAMP 3PAO. You take them out, right, and is the government really gonna give credit for this? So I think, look, equivalency can be proven, you can do the mapping of the controls, if a vendor’s willing to work with you. You know, you can get there. It is a hell of a lot of work.

Tim Freestone:
Right.

Chris:
And until we see that reciprocity rule, I just, I don’t know that it, I would be worried about the risk, the risk that you’re putting yourself at. So I think, and again, this is already written in the DFAR 7012. So what we kind of tell clients is, hey, if you want to use, you don’t have to use the public cloud, right? You can do on-premise stuff. You can do, you know, closed cloud, you know, AWS GovCloud or something. But if you want to do that, right, which for the SMBs is pretty big that they want to because it’s the most cost effective way, there’s just no reason to not use FedRAMP moderate or above.

Tim Freestone:
Yeah,

Patrick Spencer:
We

Tim Freestone:
good.

Patrick Spencer:
would agree at KiteWorks.

Tim Freestone:
Yes, yes. Gressy was such a great

Chris:
Yeah, it’s quite

Tim Freestone:
offering

Chris:
an investment,

Tim Freestone:
for the keywords.

Chris:
right? As you guys know, it’s not a small process to go through the FedRAMP authorization. It’s a heavy cost. It’s a commitment to say, hey, we are committed to doing things right.

Tim Freestone:
No, it is a heavy cost time. I mean, it’s, you know, RC. So you could probably spend an hour talking about how much work goes into that, you know,

Chris:
Yeah.

Tim Freestone:
and how much money. So.

Chris:
Absolutely.

Patrick Spencer:
So Chris, for any organization out there who is interested in engaging or finding out more about Ariento, where should they go? How do they engage with you and start that conversation?

Chris:
Yeah, I mean, our enter.com is the best, our website’s the best. If it’s specific to CMMC, our enter.com slash CMMC. And, you know, like I said, we’ve got kind of two, two sides of our business, two folks to talk to. One’s kind of the managed services side. Hey, you know, we’ve got some solutions that’ll kind of get you compliant. The other’s the more advisory consulting see through real side, which they can either help you prepare, you know, with readiness and gap assessments or the actual joint surveillance right now, but eventually the see through. assessment.

Patrick Spencer:
That’s great. Well, we’re out of time. We appreciate all your time today. The thoughtful responses, the ideas and suggestions that you had for businesses in the marketplace. Um, we look forward to having you on a future, uh, kite cast episode, uh, continuing this conversation for anyone out there who would like to, uh, check out other kite cast episodes and go to kiteworks.com slash kite cast. There’s a bunch of great podcasts just like this one that you can. listen to and download. Have a great day.

Tim Freestone:
Thanks a lot.

Chris:
Thanks Patrick. Thanks Tim.