Transcript:
Connor Swalm
Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.
I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing. Hey everyone! Welcome back to another episode of Gone Phishing. I'm your host, Connor, the CEO at Phin and I am joined once again by Matthew Fish, security expert and also the founder of Fort Mesa. How are you doing, Matt?
Matthew Fisch
I'm doing okay, helping our clients with government contracts today.
Connor Swalm
That's awesome. But, yeah, government contracts, the subject that everyone wants to discuss.
Matthew Fisch
No one wants to discuss it.
Connor Swalm
We've chatted about cybersecurity spending, basically a whole bunch of mindset. How should people be thinking about this? We talked about CIS controls, we talked about cyber insurance, where they might overlap. That wasn't the right word to use. But where they might, how one might prepare you for the other. I'll phrase it like that. And now we're talking about government contracts. So where would you like to take this? How can we help MSPs win government contracts?
Matthew Fisch
Well, so, I mean, ultimately, one needs to understand the position of the government, which they're looking for two things: They want to know that they're getting value for money, and they set out all sorts of requirements on how to determine that they're getting the right value for money. And so they have formalized practices, formalized acquisition, and if you, as a service provider, have a client that's trying to chase these contracts, and they can be quite lucrative, you do have to satisfy those needs to make sure the government's getting a fair deal.
But the other side of this is the government also wants to, they're relatively low-risk organizations. The government does not accept risk on behalf of the people. They try to protect the people. And so their requirements sometimes seem onerous, right? But the reality is, if you're doing the same things that are helping you get cyber insurance, and if you're doing the same things to make sure your end customers are right-sizing their security investments, you should not have too much difficulty helping your clients get government contracts, whether they're state, local, municipal, federal. And, you know, the requirements differ all over the planet, but I think if we just sort of bracket around what happens in the US, you've got federal requirements which tend to, not always, but they tend to be the strongest or the most difficult to meet. And then you've got state and local, which can sometimes be onerous but are sometimes easy to meet. And then you've got local municipal K12, the popular vertical for first service providers. And increasingly state governments have said, “Hey, actually you have to meet new cybersecurity standards in the K12 industry now.” So these are required for any end client that wants to work with any of those entities.
Up at the federal level, there's a number of standards that the government relies on. So they work with the National Institute of Standards and Technology to come up with criteria that contract officers then have to follow. They're actually required, the contract officers that they're at the federal level are required to ask all of their bidders on contracts to do X, Y and z based on dead scenario. And contract officers are not all equal, they don't all understand it, but they do understand, “Oh, we can just point to this NIST bulletin.” And the most common requirement is going to be the NIST 800 171 compliance checklist and it's actually not a security standard in its own right. It's a list of 110 security controls that have been borrowed from another NIST standard, NIST standard 53. Yeah, NIST 853, really, which CSF it stacks on top of and, and 853 is tough. It's several hundred controls, not several, it's almost 500 controls to get through NIST 853. But what the government has said is 110 of those are really important if you're a contractor trying to protect the government's and the people's interests.
And so you as a service provider, your job then becomes supporting essentially the business case to the government that this customer that you're supporting is actually doing some or all of those things. And if you're not doing those things, you also probably need to go a step further and say, well, here's the things we support today, and here's where we're planning to be in twelve months, and here are all the dates that we're going to achieve milestones to make improvements. And you have to evidence that with a formalized plan, and you oftentimes have to back with evidence, you have to prove out what security you have in place. And this is what the federal government's saying. It's a similar thing that an auditor would ask for, prove you're doing what you say you're doing. And so that's the MSP’s job is then to prove what they say they do and it's basically take screenshots, print out reports, record the details of what your processes and practices look like in policy. And submit that as part of your client's effort to win that contract. So it's a lot of documentation work, but if you're doing it as you build the security, it's really not a huge lift. So that's on the federal side.
In state government, the most common framework you're going to see is going to be NIST 853. Sometimes you will see references to NIST CSF. Although NIST CSF, counter to most people's. understanding is not its own security standard, it's a framework that points to other standards. So NIST CSF doesn't actually tell you how to do anything. It's a list of things that you can do. But then if you want to understand how to do that thing, you have to go to another standard like NIST 853. So those NIST 853 dictionary controls can be used to satisfy both federal requirements and the state level requirements.
And if you go down to local government, you're going to see some of the same things. You're going to see NIST CSF, you're going to see NIST 853, and sometimes you're going to see CIS. CIS was actually developed out of an effort to help state and local governments. So state and local governments across the country, and really governments around the world are using CIS to prioritize their security efforts and sometimes those things make their way into government contracts as well.
Connor Swalm
Got it. Where does CMMC fit into all this? For those that are listening that don't know, what is CMMC to begin with and where does it fit in?
Matthew Fisch
So I didn't talk about the Department of Defense, but the Department of Defense rightly thought that NIST 800 171 didn't go far enough, because NIST 800 171 is a list of things that the government thinks you might need to do to protect them. But nowhere in that standard does it say which of the 110 things absolutely have to be done to protect the government. It's just a dictionary. It's been up to the contract officer to decide, go out and look at all the bids and say, well, this guy's got the most points you know, he's going to get the contract even though his cost is more because he's got better security to balance that with cost. And the DoD finally came back and said, “This is not good enough, guys. Contractors are not spending on security the way we want them to spend. We are the Department of Defense. We need to be defending in cyberspace and our supply chain is critical. For those not aware the supply chain is the big differentiating factor in the US military. It's the way they're able to project power, and most of that's privatized. It's really important for them that the cybersecurity element is all up the supply chain.
And when they look at adoption rates of NIST 800 171, they weren't too happy. So a few years ago, this actually rolls all the way back to 2019 or 2018. The DoD initiated this effort, the Cybersecurity Maturity Model Certification Standard. And the idea was, here's an exact list of things you have to do to win a contract with the DoD. You don't have any choices and they had multiple levels to meet depending on the sensitivity of the contract. We're now through two major versions and we're getting ready for a minor version update. And it's been basically for the last three years or four years, preparation stage for the industry. There are hundreds of thousands of contractors that service the US government interest. So getting any large portion of them requires getting a large portion of them audited, because the government's saying, “Not only do you have to meet these standards, but you need to prove it.” Getting those hundreds of thousands of contractors up to that level, it's a massive bureaucratic nightmare, really.
So they had to go out to the private sector and they had to say, we need assessors, we need auditors, we need certifiers, all the things. And they've been spending the last couple of years building that up and iterating on the standard and there was a town hall just in the last few days where they're getting ready to announce their 2.1 standard. And they're hoping to ratify later this year. At that moment, when they ratify that, it will not be possible to sell toothpicks to the Department of Defense unless you've done some kind of CMMC assessment.
And so that's creating a lot of audit work for those of us that are, that work in that space. But it's, you know, it's also an opportunity for service providers, MSPs, to differentiate themselves. You know when you can help your customer win or keep federal contracts, but the guy across the street can't help the service provider do that. That's the only difference you need to tell and talk to the client about. You don't need to prove anything else. I'm going to help you. I'm going to help your business survive. I'm going to help you actually win contracts. So building that knowledge in-house, having the tools and capabilities to do that is critical.
Connor Swalm
So if I understand the separation, I guess not separation, but the patterns correctly. Federal, state, and local governments will base their compliance requirements on 853 or 800 171, some combination thereof, CIS controls included. Whereas if you're working in any Department of Defense, tangential relation, there's any kind of relation there with the Department of Defense. You have to abide by CMMC, and you have to, what I assume, you have to pay for an audit that you can prove you passed, and if you don't pass, go pay for it again.
Matthew Fisch
Yeah, it does depend on the sensitivity of the contract. So at its lowest level, self-attestation, medium level, you need to bring an auditor in at a high level to get the highest certifications. Only the federal government can audit you. So they've created these levels that are appropriate for the types of things that are supplied into the defense supply chain. But, yeah, they're all based on the NIST 800 171 that's been around for quite, quite a few years now. Which is also, again, in turn, based on NIST 853, which has been around in even longer time.So these are not new requirements, but what's happening in the federal government is they're saying not only do you have to pay for what security you have and bid against other providers using this dictionary of security things, but actually, there's a minimum level, and you can't sell us anything at all. And even if we've been happy with you for the last five years, you're not getting a renewal unless you can evidence security to the level that we're saying we want our supply chain at.
Connor Swalm
So quick question on that. If an MSP is working with a client of theirs on some kind of government contract, let's say just use a state government contract, for example, to what extent is the MSP a subject of that audit? If they're a part of the discussion with that client?
Matthew Fisch
Well, I mean, end clients typically aren't prepared to create this evidencing themselves. You know, if you encourage them to seek an outside compliance firm, that outside compliance firm may or may not be able to support them. Certainly, it's not the cheapest way, and it's not the best way for you to retain that trusted advisor status when all you need to do is document the things you do for your job or the things that your organization do in the course of fulfilling this agreement with the client. And if there's a part of the government compliance apparatus that you don't support our client with cause it's not your job, tell your client that. That's a reason why they may expand scope with you or it's a reason why they may, maybe they'll take their own responsibilities. And it's increasingly the case that you can't wing it anymore, you can't fake it. There's a case winding, it's through the courts right now about a university that I will not name, although it's public knowledge that was faking their DoD compliance for the last several years, and it's not looking good over there right now.
Connor Swalm
I imagine at least a few people will lose their jobs, if not harsher penalties.
Matthew Fisch
I think it's going to change the whole industry. I think there's a line drawn in the sand now that rubber stamping is no longer enough.
Connor Swalm
Self-attestation is a benefit and a curse at the same time.
Matthew Fisch
So this stuff's not nearly as complicated as it sounds, particularly if you have a piece of software that step by step brings you through it. On the training side, certainly there's requirements that need to be met in these government contracts. As an example, you're helping the court system there's things you need to do in criminal justice. If you're helping the VA, you probably need to meet HIPAA requirements. These are things that are not difficult for a service provider to support if they have some way of breaking down the problem space into smaller bits.
Connor Swalm
Got it. If an MSP, or a client at an MSP, or just a small business in general, were trying to learn more about this, or I want to say, I'll phrase it like this, take a first step thats not going to melt their brain. What would you recommend?
Matthew Fisch
Well, ultimately you need to go through the full process to really understand it yourself. And that's our approach with our partners. When they onboard with us, they come onto our platform, which helps the governancing and project planning around this type of evidencing. We're chief cheerleaders. Our onboarding process is tell us about that deal. Let's walk you through it step by step. Do you have questions about the next deal? And really helping people learn how to have those conversations with their customer, create their own evidence, documentation, really support the client and their efforts to win these contracts.
Connor Swalm
That makes a lot of sense. If people wanted to learn more about you, more about Fort Mesa, and find a way to potentially work together or just digest some of the information that you have available, how would you suggest they get in touch with you?
Matthew Fisch
Sure, jump on fortmesa.com Go check out our partner page or our product information. You can also find us on YouTube or LinkedIn.
Connor Swalm
Sweet. For those of you listening, we'll have everything in the show notes. If you're watching, we'll have it in the show notes, too. We're not stingy with it. So feel free to reach out to Matthew,
connect on LinkedIn, find them through the website, and ask them questions about what is frankly the this right here, government contracting, compliance requirements, whole nine yards. Most of the questions I get from not only partners, but from partner's clients is, you know, I may focus on awareness training, but there just seems to be such wealth. I'll air quote for you, “the wealth” of information because some of it's disinformation when it comes to teaching people to do the wrong thing in compliance that a lot of people just have no idea where to start. It's like analysis paralysis, there's too much to begin with, so they just stop. So huge question, huge things I get a lot of questions on, for sure.
Matthew Fisch
Thank you.
Connor Swalm
Anytime.Sweet.Thanks for, thanks for being here. Thanks for educating everyone on winning government contracts. I don't think I will ever attempt to win a government contract anytime soon. You might have scared me a little bit, but that does not dissuade others. So I appreciate it.
Thanks so much for tuning in to Gone Phishing. If you want to find out more about high-quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out Phin Security at Phinsec.io. That's P-H-I-N-S-E-C I-O. Or click all of the wonderful links in our show notes. Thanks for phishing with me today and we'll see you next time.
