CMMC Instructor and Expert Michael Redman discusses how DoD contractors and subcontractors can map out a successful roadmap to CMMC Level 2 compliance, what obstacles they might encounter, and reveals his insights and tips that can accelerate the certification process.
In this Kitecast episode, Michael Redman, who is a Knowledge & Learning Management Instructor at Schellman and is a subject-matter expert in various cybersecurity and compliance standards, spoke at length about Cybersecurity Maturity Model Certification (CMMC), the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), and other topics that are pressing concerns for the Defense Industrial base (DIB). Redman asserts that businesses must approach cybersecurity as a risk management issue, just like any other business risk. Organizations must take proactive measures to mitigate cybersecurity risks and ensure they have a robust cybersecurity program in place.
Part of the podcast discussion with Redman involved the role of Certified Third Party Assessor Organizations (C3PAOs) and CMMC compliance. He explains that C3PAOs are an interesting entity and are being asked to shoulder a whole lot of responsibility with not a lot of reward. C3PAOs are swimming in murky water and need to be patient. As we proceed closer to CMMC implementation, the good, better, and best C3PAOs will rise to the top, and the ones that aren’t fully invested will focus their energies elsewhere.
Midway through the podcast, Redman spoke about the CMMC Standards Council, of which he is a part. He explains that the Standards Council is working to create an objective matrix that can be used to rate C3PAOs objectively. He believes this will help organizations choose the right C3PAO based on their needs and budget. The alpha version of the objective matrix was just completed and is circulating among subject-matter experts for feedback.
Redman also talks about the importance of having a risk-based approach to cybersecurity. He suggests that organizations need to identify their high-value assets and focus on protecting them. He believes a risk-based approach is more effective than a compliance-based approach, as it helps organizations focus on what really matters. He emphasizes the importance of having a cybersecurity program aligned with the business objectives of the organization and one that accounts for third-party risk management (TPRM).
Digital transformation is driving dramatic changes in cybersecurity. The confluence of cybersecurity and compliance demands a risk management model, and one focused on keeping private data private. Organizations can no longer view cybersecurity and compliance in separate silos but rather as intertwined and predictors of risk. Kiteworks’ content-defined zero-trust approach, which relies on the Kiteworks Private Content Network, is used by thousands of organizations around the world to unify security and compliance approaches to sensitive content communications while wrapping them in a hardened virtual appliance.
Patrick Spencer 0:24
Everybody welcome back to another Kitecast episode I’m here with my partner in crime. Tim Freestone. Tim, how are you doing today?
Tim Freestone 0:31
Good, how are you doing Patrick?
Patrick Spencer 0:33
I’m doing fine as well, we’re in for a real treat Michael Redman, who currently is the knowledge and learning management lead over at Schellman, CMMC provisional instructor, Assessor, you name it, he has like 20 different certifications and classifications that he can put after his name more than I can ever imagine. We’re going to talk about that with him among many other things. So Michael, thanks for joining us today.
Michael Redman 0:58
Hey, thanks for having me.
Patrick Spencer 1:01
Let’s start with you know, you’ve been in this role, I think for like 15 plus years talk a bit about what you do and what you like about it. And I’m sure it’s evolved over the years.
Michael Redman 1:11
Oh, absolutely. So, I mean, this is, this is a role, you know, I’ve grown to love. You know, and it happened quite honestly, by accident. Right. I was born in Columbus, Ohio, born and bred, you know, Ohio State Buckeye and you know, did what any good Ohio son will do. And, and went to Ohio State University and got what I call the degree my mom paid for, right, you know, got a degree in psychology. And no one bothered to tell me right or warn me, there’s absolutely nothing you’re going to do with a bachelor’s degree in psychology. Right. So at the time, I could have become like a social worker. But I still would have had to do I think we were like six more weeks of licensure and what have you. And, and I was definitely on the seven-year plan and college. So you know schooling was not in the cards for me. You know, and, you know, I really don’t care enough about other people’s problems to listen to them all day. So, so that just wasn’t going to work. So I ended up joining the Marine Corps and my dad was 26 years in the Navy. So I figured, you know, how could How can I go wrong there and had a great time. Unfortunately, you know, as, as the winds of change will have it ended up hurting myself and had to get out. And now I’m right back to square zero, right, you know, so, you know, got shipped out, you know, back to Ohio. realize why I left Ohio in the first place because it’s very cold. And so droves out, right, so until basically till I hit water, my little 89 Ford Probe and all that it would carry and just bounced around for about four or four or five years, you know, you know, everything from selling cars to I was a radio DJ for most of that time. You know, which I was also a nightclub DJ for some time. What’s that?
Patrick Spencer 3:04
You got the voice for the DJ work?
Michael Redman 3:07
Yeah, I mean, I absolutely have the face for radio.
Michael Redman 3:12
Unfortunately, people think right, that radio DJs get paid, you know, a fair amount of money, but we really don’t. Right? We do it for the sheer narcissism of it. And so, you know, I met a young lady that, you know, I was convinced I was going to spend the rest of my life with him and the life of a radio DJ is not conducive to a happy home life. So, you know, I left radio and ended up at Cingular Wireless right at a Cingular Wireless call center down at Ocean Springs, Mississippi, making 9.15 an hour fixing cell phones, right. And within two months, I you know, they had taken me off the floor and I became a trainer. Right? Because it’s just it was just intuitive to me to figure out how to fix cell phones. You know, because my mother right? She was a middle school teacher for a decade and then decided that she hated the kids. And you know, more I think if she were to tell you to she hated the parents. And he ended up going back to school and getting a degree in computer and computer programming. And I can remember almost to the day what the room smelled like right when she finished her schooling and sat me down in the kitchen said you know, no matter what you do in life, you are going to learn computers. You know, she didn’t care if I was a teacher or a trash man or anything else, right. But I had to learn a computer. So I was one of those kids that got computers every year for Christmases and birthdays and Easter and what have you. So one week we had a career fair at Cingular Wireless and the local community college came and set up stuff. And I was looking through the different offerings, and I stopped to talk to the, the counselor for computer networking. And I said, Well, what’s this all about? And, you know, she kind of explained to me, it sounded great, right, you know, traveled, you know, traveled the country as a CCNA, designing, setting up and troubleshooting networks from banks and schools. And you know, what have you? I said, Well, that’s great, but they’re shooting, you know, I don’t know that I’m cut out for it. She said, can you count to 255? I said, Yes, I can’t. She said, that’s all you need to be able to do. And I said, I can do that. So yeah, the next week I enrolled in school and kind of just the, the rest of you know, as they say, is history. Right, you know, now you’re almost 20 years later, you know, when I finished school, finished, you know, a couple of associates and bachelors ended up working for the DoD red teams. You know, because as it turned out, I was pretty good and getting into things that I wasn’t supposed to be at. And I figured, hey, if they’re going to pay me for it, then all the better. And over the years, just kept getting promoted farther and farther away from the keyboard were you I began managing teams of red teams, and then you know, eventually becoming a government civilian myself, managing all the contracts for the teams of red teams. And so working all of those different roles and absorbing, right, you know, how every side of the fence is a little bit different on how they approach cybersecurity and network security and just security as a whole. You know, I’ve kind of put together and a neat little ball that, that now I carry around in my back pocket, and people seem to seem to gravitate to it. So I guess it’s not a bad thing. And if I can, you know, help one or two organizations along the way, well, I’ve done my job, I guess.
Patrick Spencer 6:57
And for someone who was not inclined to want to continue a long trek in education, your background seems very strange. In a theoretical what that original position was, you’re not doing a JD from my understanding and cybersecurity at Cornell University, and then referenced all the long list of certifications, you have many of those, it’s not easy to get. So what happened was at the Marine Corps,
Michael Redman 7:23
you know, a lot of it, honestly, I will say a lot of it was right, you know, it’s one of those, you know, the, you know, the Marine Corps, it teaches you, you know, first of all, if you have a fear you face it, which is how I got hurt, right? You know, I used to be deathly afraid of heights, so, hey, why not go jump out of helicopters. And, you know, it also instills in you a very strong sense of work ethic, right. And, and a sense of, of accomplishment, and team building, and understanding that just because it looks difficult is not enough as an excuse to not do it. So, the path I laid out, right, you know, it was not going to be an easy path that that’s for sure. You know, I did a double major at the, at the junior college level, finished my bachelor’s and then you know, spent some time kind of, you know, just doing the work then a master’s in cybersecurity and yeah, now I’m in my second year of law school. So I’m taking an emphasis in cybersecurity and privacy. Right, and, you know, in law school, so it’s just been it’s been a labor of love. And yeah, no matter how much I didn’t want to teach everywhere I go, I ended up teaching again, you know, consulting is just teaching by a different name right. You know, and now are now working for Schulen they actually created an entire learning and knowledge development organization, just so I can teach. Right? So, you know, they put my put my emphasis currently right on, you know, kind of the big marquee ones, right. So, obviously, we you know, I do a lot of CMMC training, I do a lot of CISSP training, CSM, you know, Security Plus, you know, as you mentioned, I have quite a catalogue of certifications that that I am authorized, right or can teach. So, but I think I think I only list like four or five on my email signature, you have to you have to correct me if I’m wrong. So I kind of figure once you hit the, the text wrap, then it just becomes, you know, pretentious, and that’s just, that’s just mean.
Patrick Spencer 9:46
For sure. And then see, good Tim.
Tim Freestone 9:51
No, that’s just going to say well, one of those acronyms I’m particularly interested in is CMMC Someone from our organization took one of your courses? And I said, I have a lot of questions. Can we talk to him on a podcast? You know, and one of the things I think most who will listen to this podcast will know what it is. So we can skip. You know that that part of it. But I’m curious, you know, from your perspective, how seriously is the market? You know, the defense industrial base, taking this regulation as a whole? Do you have a sense of that, because I talked to like, two weeks ago, I was at a CISO event and talked to two CISOs at the head of large manufacturing organizations who do business either with contractors or subcontractors, with the gap Department of Defense, and they were like deer in headlights, and they just didn’t even have sort of a starting point? Right. So it was it was, did I get unlucky twice? Or is it you know, that the run?
Michael Redman 10:58
No, so, yeah. That really is kind of a loaded question. Right? You know, because, you know, I can’t make a statement for the entire DIB. However, I can put them in categories, I can put them in groups, right? There are large, medium, and small, DIB participants that are taking CMMC very seriously, right, you know, that even though it hasn’t been codified into law, yet, they are just moving out, getting it done, you know, volunteering for the volunteer program, because they see the writing on the wall, and they know what’s coming, right, it’s not going to go away. Then there’s like this middle group that they sway with the wind. Right. You know, they’re kind of the LinkedIn junkies, that you know, depending on who posts what, on what day will sway them into one direction or another. And the fortunate part is now that the DoD CIOs office, and the Justice Department are actually posting about CMMC, not just on LinkedIn, but a lot of forums more at a more rapid pace. So there when the DoD CIOs office speaks, especially when the Justice Department speaks, right, that will out outweigh anything that Joe idiot will say about what he heard at the coffee shop about CMMC. And then unfortunately, I would say probably half a good half of the nearly 350,000 DIB participants are exactly what you what you described, they just they don’t know, right? They don’t know, they’ve been told, so many different things that it’s all become goo. You know, in their head. I think a year ago, your year and a half ago, they were they were there, they were fired up, they were ready. And then we had our little false start. And it put all of those people kind of in a really bad place, because they already invested right into CMMC, either with either hiring consultants or actually going ahead and trying to build out infrastructure and work through work through the certification process, as it was understood at that time. It just to be safe, just to be told, okay, you’ve done a great job. We’ll see you at some point in the near future, when we figure out the rest of this. It just gave a little it gave him a bad feeling. It became like any other DoD certification process that we’ve heard about over the years, that never actually really happened, right. But the one thing that I tried to, you know, as many people as I can talk to try to, you know, impress upon them is all the other DoD certification processes, and all of the executive branch certification processes. CMMC has one characteristic that’s different from the rest of them. This one CMMC is being codified into law. As soon as that interim rule is entered, right, and you’re done, right, it has now become the law of the land. Unlike these other programs that have gone by the wayside, they were just some office managing a certification activity for the organization. So you know, and so I tried to get people to think about it you know, just think about it that way as hard as it is to get two sides these days to agree on anything. They have agreed on CMMC That should let you know it is not going anywhere. So you might as well just kind of learn all you can now right get find the right people to learn from now. And look at it as a small blessing right that we’re having a ramp up start versus a bang, go start like we were getting ready to do about a year and a half ago.
Tim Freestone 14:58
Yeah. So to two part follow up into that. All of them to that. One is what’s the what’s the latest timeline for the codification of the law? And then the second part is, there’s two kinds of laws, the laws you follow in the laws you don’t live in New York City for 15 years. jaywalking is illegal. Everybody has nobody. And the reason is nobody gets in trouble. So it’s like, what’s going to? What’s the I don’t want to say punishment, but the What am I looking for? What’s the word? I’m looking for? The?
Michael Redman 15:33
The big stick. Right? Thank you. Yeah, the Justice Department has dusted off 125-year-old law called False Claims Act. And over the last year, I mean, if you just like, for instance, set yourself up a Google Alert. For every time there’s an article posted about False Claims Act. Every day you are going to get a new article, the Justice Department has ramped up their use of that act. Right. And simply all the False Claims Act is it what it does is it allows the federal government to come back to the contractor for monies or services that the contractor overbilled the government for. And it has very stiff fines and penalties that go along with it, right up to $10,000 per instance. So if you just look for instance, at CMMC, like level two, right, and 110 controls, if you were less than forthright, let’s just say on 20 of those controls, well, that’s 20 controls times 10,000 plus 1.5% of the contract that you bid. Even if you didn’t win the contract, even if you were not awarded the contract, part of the consideration that that why you were even in contention was because of your false claims. So if I’m bidding a million-dollar contract, even though I might not have won it, and they fight, and they find out that I was doing it under false pretenses, they can attach 1.5 Or that $1 million against my organization for making those claims, so that’s the big stick that they’re that they’re swinging around. And it’s working pretty well, in a lot of instances, because and rightfully so, I think they started with some pretty big names, right? You know, like, you know, Aerodyne and Boeing. And now I think I get probably three a day from a medical ring that they have been had beat up on that 30 to $32 million out of. And so because the big names are being are being, you know, kind of hit, it makes all of us down here and you know, minutia land. They’re going to go after Boeing, and, you know, Aerodyne and SAIC. Why would they not come after me? So that’s the first thing to kind of put into your head is yes, they are actually coming after organizations, for lack of a better term for lying about their cybersecurity posture. CMMC is not new. Right, you know, and that’s the problem it CMMC is just the certification of a clause in a contract that you or your organization have been attesting to since 2017. Right? So you said you told the government since 2017? Absolutely. We’ve been doing all 110 of these things. The government and the False Claims Act is retroactive. So the government at any time can go back to your attestation in 2017 18, 19 20, 21 22. And say, you’ve told us that this is all in place. You tried to get certified and couldn’t apparently they weren’t all in place. Let’s have a talk about these other prior five years. So that should make it real for a lot of organizations, right? I mean, this, this, this is an organization killer, right? And you really do need a professional to try to help you navigate through best intentions sometimes, you know, because a lot of it’s going to really come down to some creative writing. Right, you know, and how some of these organizations write their way into being less of a target. Sure. That’s not something a lot of organizations, you know, others see through PAOs and, you know, even our LPOs are going to have a specialty and unless they have, you know, a few people like me that’s worked on the other side of the fence that kind of knows what the government wants to hearing words, no matter whether how straight it is
Patrick Spencer 20:07
Is there is there overconfidence by many of these DoD suppliers, Michael, based on what you’ve seen you, you probably saw the report from was it cyber sheath where it came out and they said 71% of organizations say they’re compliant with Level Two practice requirements based on their self-assessment, right. But then when the DoD actually does the assessment 29% are actually compliant. So that’s a huge chasm when you think about it. And when you tie the liabilities that you’ve just discussed to it, then there should be a lot of cause for concern by a lot of DOD suppliers, I would think.
Michael Redman 20:44
Well, there is and so I spent some time beating up on the drum. So now let’s, let’s switch gears a little bit. The DoD themselves, the assessors that have been chosen to go out there and adjudicate these 110 controls. From the day that I found out about it way back when we were in the original working groups, writing the standard and writing the methodology itself, right. We, the experts wrote it, and then handed it off to an organization within the DIB, to say, Okay, now go adjudicate against this. And it was the wrong organization 100%, all day, every day, Sunday being every day, wrong organization to be adjudicating those controls, because they’re using a different methodology than what was written. So that’s the first part is there’s a chasm, there is a chasm between how the how the assessor is looking at it, and how the OSC is looking at it. Now some of how the OSC is looking at it. The reason that they’re saying that the that they’re compliant with the control is because the language is so fuzzy without definition. Right. So one of the one of the largest, I think, I’ll call it a discussion that I had with an OSC was around a simple word, implemented. The requirement, the D 7012 requirement is that all 110 controls be implemented within the organization. Well, what is the definition of them? Right. And from, from the CEOs perspective, it was, you know, we bought the software, we bought the hardware for it to go on, we’re training up our IT staff on how to use it, we’ve deployed it to a test group, we’ve implemented it. And, you know, I couldn’t go into a court of law and say, well, obviously, that’s the wrong definition of implementation. Here’s our definition. Let’s open up Webster’s, right, because it wouldn’t necessarily contradict that CEOs approach to it. However, the assessor’s view of implementation is that you’ve done all the above plus, every system within the organization has now that piece of software. And so that’s the that’s the chasm. It’s not that they’re overconfident. It’s that they don’t understand how the controls are being adjudicated. And that’s the danger of self-attestation. If I don’t know how I’m being graded, and I just I get to make up my own grading scale. I’m going to win every take.
Tim Freestone 23:32
Yeah, right. Yeah, who fails themselves? Right.
Michael Redman 23:35
Tim Freestone 23:39
So, C3PAOs this seems like an industry that’s creating itself as well, these days. You know, we’re involved in some communities, and it’s, you know, this many are, are certified a C3PAO, but that’s like 20%, there’s still hundreds and 1000s of others that are really looking to get in this game. Can you talk about that market a little bit and the impact it’s going to have on companies in their budgets and getting C3PAOs to come in and audit and all that stuff?
Michael Redman 24:11
So C3PAOs to me are an interesting entity, right? I mean, they, you know, they came to existence in the CMMC model, based on the idea that the C3PAO from FedRAMP was working. So well it’s working over there. So we’re just going to lift and shift right and it of course, it’s going to work here. Now, there are some very marketed differences between FedRAMP and CMMC. February is a federally run program, with the program office and everything else. CMMC is a commercial certification, no program office, lots of different personalities with no one head that you have to listen to. So the design is flawed at the start. However, it is what we are, we’re stuck with it. Yeah. So now where do the C3PAOs kind of fit in? Well, some of that they’re still trying to figure out because of some of the rules of engagement that the cyber AP has given them. You know, there are some things, you know, for instance, that the C3PAO is not allowed to keep any artifacts from any certification activity. But to me, that’s laughable, right, that opens my organization up to such a wide liability, why would I sign up for that? Right, you know, I want the documents of truth and my vault, when somebody comes at me for three, five $7 million, because they didn’t get certified. And it’s because of XYZ that we looked at. So the C3PAOs, are being asked to shoulder a whole lot of responsibility. And a greater than normal amount of liability with not a lot of reward that I can see. Right? Because it is a very competitive market. Right? You know, what, what is the difference between this C3PAO, you know, these guys told me, it cost me $35,000 These guys told me, it’s going to cost me 135,000. They’re
Tim Freestone 26:33
all following the same general framework to audit you as to whether or not you’re right, assessed, appropriately. Correct. So
Michael Redman 26:41
Correct. And so, you know, I do not C3PAO, right, you know, right now, because they are swimming in very murky water, that that unless you have patience, you’ll never get out of right, it’s just going to be an endless abyss, what I do encourage, you know, some of the C3PAOs that I like, and that list won’t discuss, but I encourage them to be patient, right, that we did this, for instance, when we were doing die cast. And we had all these things called ACA is out there. And, you know, the best kind of rose to the top and all the others just kind of melted away after a couple years. That’s what we’re going to see in the C3PAO space, right is the good, better and best ones are going to rise to the top and the ones that were really just in it to make a fast buck. They’re going to go away, they’re going to, they’re going to, they’re going to eat, They’re young, they’re going to be they’re going to be gone inside of your yourself. Now, one of the, you know, things that I do participate in still is what what’s identified as the CMMC Standards Council. And, and the attempt of the Standards Council, is to try to clear up some of those questions for OFCs. Right, you know, so, the one thing that the cyber AP has, you know, has done is Okay, so here is this list in the marketplace of C3PAOs. Right, choose one? And, you know, okay, based on what, you know, how do I know which one to choose? Right? So, unfortunately, I was or fortunately, depending on how you look at it, was given the enviable or unenviable task of creating an objective matrix, that we can look at objective data from a C3PAO I’m just handling the services part. Right. So C3PAO RPs, or our RPOs and assessors. Take objective data, scale it and weigh it, so that you can come out with this, this score, basically, you know, one through five score, this assessor rated a five and here are all the reasons why they ready to fight right, you know, 15 years of education, 20 years of industry experience, you know, these certifications, you know, customer experience is off the charts, you know, all this stuff, right? Whereas the other ones, right, and again, it’s going to be the same data points collected from all of the participants, right? Because there’s going to be voluntary, you know, they didn’t score quite as high. So that is why you’re getting a $35,000 ROM versus $100,000 ROM, you’re paying for experience, right and knowledge and skill and, you know, reach back support and things like that. Your budget may not be able to, at the end of the day afford that $100,000 activity, even though you want to, but you still got to get it done. So here I’m just going to shoot in the middle. This guy gave me 50 grand. We’re just going to go with that.
Tim Freestone 29:56
Yeah, is that model in play right now or you’re still we’re Working on
Michael Redman 30:00
it is not in play currently. I do I, as a matter of fact, I just finished last month. The first one what I’m calling the alpha version of it. It’s circulating with some with some friends to see, okay, am I off my rocker with some of these things? You know, what do you think? You know, is this a fair method? And to just to just, you know, you know, full open kimono, right? I put myself through the scale, and I could not max out at a five, right? So, you know, I didn’t you know, just create a scale that of course, you know, me and all my friends are going to be fine. And everyone else, you know, are you know, screw you know, if I could max out of five, I feel that if you max out in five, you, you are exceptional, and you should be recognized for that
Patrick Spencer 30:55
will be available for DOD suppliers to review so they can take that into account when they’re looking for those.
Michael Redman 31:03
So I don’t lead the Standards Council, a gentleman by the name of Mr. Egan’s does Derek Egan’s, she will be kind of the gatekeeper. And when they decide to publish this, I know it’s something that the Standards Council is anxious to get out. And, you know, unfortunately, through some kind of personal hurdles that I’ve had to jump over, not to mention, you know, multiple surgeries over the past few months, my progress was kind of stalled, but they’re anxious to get it out. So, you know, I told I told Mr. Egan, that I would like to personally have it out by fall, right? If nothing else, just in a beta form that that people can, so we can start to get volunteers, right, because there’s only so much I can do with dummy data, right, I need to get real volunteers submitting real evidence to see even if it’s something that they’re willing to submit themselves to. And right, you know, kind of, there’s so wet paper as to why you would want to submit yourself to such a thing, right? Because you’re going to catch a lot of a lot of fish, just by being on the marketplace. And, you know, of course, it’s $100,000 round, because they have to be that good, or they will charge that much. Right. You know, so, you know, organizations are taking a risk by, by subjecting themselves to such a thing. But, you know, when, when you look at the faces that make up the Standards Council, right, I mean, you’re eating causes, you know, the Coalition of the Willing, we’ve been together since the beginning, since the very first working groups, you know, under the abs, board, and we stuck with it, we it’s all volunteer time for us, right, you know, over since 2020, I’ve volunteered over 1700 hours, to the CMMC ecosystem, doing this type of type of work, because I believe in it. And so to the rest of us, right, and we have representatives from AWS, and Google and Microsoft, and, you know, this just this isn’t just, you know, five dudes drunk in there, in their garage. Good idea. Now, I’m not saying that we’re not drunk when we. But, you know, again, it gets worked out in cases of silver every now and again. So
Tim Freestone 33:29
is the Standards Council part of the cyber AP they started this, or is it totally different? No. So
Michael Redman 33:36
so we want to make it very, very, very clear. And Matt Travis, has asked us to make it very clear, even though this the cyber AB eventually is going to recognize this, we in no part whatsoever are affiliated with, with the IAB. And it has to be that way, you know, we are adjudicating basically the abs, people. Right? Right. So, you know, we can’t have any appearance of impropriety. You know, we’re even working through getting, you know, ISO certified, so that, you know, everything is above board and, and, you know, it’s, we only want to do this so that oases know what they’re getting, when they sign up for it, you know, and based on objective information, right, and if you can’t afford the Cadillac, and I think a lot of us have been in the situation right where we went to the Chevy dealership, we saw the Corvette, but I got three kids to them playing soccer, one playing volleyball, I got to get the dog on minivan. I’ll deal with the Corvette later. So you know, that is the options that we want to we want to give them yeah, you want the Corvette everyone wants to quarterback. But if you can’t afford the quarterback, get the next best thing. Just to get what you need done for your organization. And you know, secure your data Yeah,
Tim Freestone 35:00
interesting. So obviously still a lot of work to do across everything you know you know Kiteworks is in the space to help customers and help our customers with their filing email data, make sure it’s CMMC compliant doing everything we can they’re staying up to date with what’s the CMMC? What are some near term rollouts or changes or aha moments? Is there anything coming that the awning should be knowing is happening? That’s not just sort of general knowledge? Yeah,
Patrick Spencer 35:35
maybe the phased implementation? What can we expect to see starting in May? June timeframe?
Michael Redman 35:42
So um, so one of the things that I think kind of, it landed with a loud, yet very soft thud, because I don’t think people understood the gravity of what of what the article was saying. There, there was about three months ago, there was a posting that came out of the CIOs office, saying that that, that they were not going to hit their target date of May, for the interim rule for CMMC. And I think everyone stopped reading at that at the headline, right and go under the fold. And admit what the article didn’t sit what the article was telling you is they are foregoing the interim rule, and going straight to the final rule. Now, what does that do? So the interim rule? The interim rule has this period of public comment where you’re 30 days, and here’s your proposed rules, the world has, you know, the ability to make public comment, the posting organization has to adjudicate each one of those comments, even if it’s just to say, we will not address this at this time. And once the education is done, then they move into the final role and go into chamber votes and things like that. Well, by jumping straight to the final rule, essentially, if your kind of know how the system works, what they’ve said is, we’re CMMC version one, we did an interim rule, we got public comment, we heard what everyone had to say, we don’t need to do that all over again, we’re just going to post the final rule based on what we had, you will still be able to make public comment. But once it’s a final rule, it’s done. Right. So if they post if they actually do what they say they’re going to do, and come 30 June, they post a final rule CMMC is now real. Now, the ramp up period, right is obviously going to have, you know, some space, you know, for the last I heard it’s going to be at minimum an eight-month ramp up period. At maximum they’ve talked about in an 18-month ramp up period, right? With
Tim Freestone 38:09
ramp up what ramp up the
Patrick Spencer 38:12
more teeth or
Michael Redman 38:14
ramps, more it gets, you know, which organizations have to submit? Right? You know, so if it’s a brand new contract that has not been awarded, obviously, that contract will fall directly under the final rule. If someone this year, for instance, you know, just you know, even though the final rule, for instance, would have been published, but let’s say, you know, the month before they just want to five and five contract. Well, do they get all five of the first years right to be CMMC compliant, because there was no final rule at the time of award. And then those five, because technically a contract, a contract action, which is how it’s simple, as indicated with whether or not you have to submit for certification would not happen for five years when they exercise the first one of the five-year contract extensions. So how do you how do you work that in, right, if you just got to five and five contracts? No, we’re not going to let you sit out there for five years. messing things up, right. So we’re going but we are going to give you some time to ramp into it. And that’s where you know, what is fair comes in 18 months is, you know, eight months, whatever. However, the one thing that I would encourage to understand it’s been in every federal contract I’ve ever written or and or been subjected to, there’s always a clause in there and we reserve the right for announcement unannounced visits. And they are exercising it and it might just be a spot check of those 110 controls. And if they find one, that is not That has not been met, they’d have the ability to shut down that contract until everything is taken, taken look at. And they’re not this, you know, I feel like Chicken Little right. But this time around, they’re not playing
Tim Freestone 40:14
this time for sure. Yeah.
Michael Redman 40:17
One of the things that I said when I was an ACA assessor doing dicap, you, we would joke around with each other saying I could issue a DATO to, but the Army’s never going to shut that program down. Right. So what I’m wasting my time here letting them know how bad this thing is? Because they’re never going to do anything about it. Well, we’d have seen firsthand these last, at least the last 11 months or so. Yes, the federal government is actually shutting down large, multimillion dollar contracts until these organizations get themselves right. So that’s why I can now say a little bit with confidence. Yeah, this time, they’re not playing around.
Tim Freestone 41:00
Patrick Spencer 41:06
Yeah, I read is like 40% of half is like 50% of the DoD suppliers will lose 40% of their revenue, if they can’t demonstrate CMMC compliance. That’s, you, companies will go out of business if they can’t get CMMC clients and demonstrate.
Michael Redman 41:25
And but well, but please understand, that is not the design of CMMC is not designed to drive you out of business. To assure that you are doing God’s work with what you do for the federal government, no one could do it better than you are understanding the gravity of the data that we’re entrusting you with, that we don’t want to drive you out to drive you out of existence, that is not beneficial for anyone. Right. So, so but and I have, I have heard a lot of organizations, you especially some very, some of the smaller, you know, five and 10, man, you know, contractors that, you know, they get in there, their, their power bitch sessions. And next thing, you know, it’s all about, you know, they just want us go on, and they just want to take our ideas and steal them. And this is their way of forcing us out. And, you know, I try to remind them that, you know, if they could have done it in the first place, they would have never hired you. So, you built the thing. Could you say they can maintain it for any length of time without you? And if your answer is no, then you might have landed on the wrong square. Right? They don’t want to push you out. They just want to make sure that you know, other people that we don’t want having your great idea, you know, doesn’t get your great idea.
Tim Freestone 42:54
Yeah. Well, we should, we should do this again, after the final rule is out there.
Michael Redman 43:02
We don’t even have to wait that long. I mean, I was not a Friday and liquor sitting around. So
Patrick Spencer 43:09
next time, hopefully you haven’t had surgery. The morning of the podcast, only a marine would show up for a podcast who had surgery a couple hours before.
Michael Redman 43:19
When people doubt my background, my upbringing and who I am. It looks at some of the things that I’ve done, right, you know, I, this was years ago, and I was a much, much healthier person. I taught an entire week CISSP class with two ruptured discs. And, you know, they couldn’t believe it. Right. You know, they every day they told me to go home, right. But I mean, I had a customer that had people that took time out of their schedule to be available in Virginia for those five days. And you know, I did not want to not give them what they paid for and you know, so put your head down and just do it or so. You know, this is no different right? Yeah, yeah, I might have been under a lot of sedation earlier, but I’m here now. Yep.
Tim Freestone 44:19
Very lucid. Well, we really appreciate your time, Michael. On our 45 minutes here and don’t want to take any more but we’ll do it again for sure.
Patrick Spencer 44:30
Back into the end, May June timeframe. speedy recovery. Appreciate your time for our audience. To check out other Kitecast episodes, go to kiteworks.com/kitecast. Thanks a bunch.