Cyber Savvy
A successful cyber-attack has taken your company off-line. The FBI and CISA have been contacted. What now? As you know, if this hasn’t already impacted your business (either directly or indirectly), it will.
How can you make yourself a harder target, mitigating against cyber-attacks? What does all the terminology mean and why does it matter? What happens if an attack is successful?
Join DTC, Inc. as we outline, in a straight-forward manner, many of the issues surrounding cyber security which directly impact business owners. Our Cyber Savvy podcast episodes feature Mike Shelah as he brings in a new guest each month.
New episodes will be posted twice a month on the first and last Thursday, make sure to follow and subscribe wherever you listen to your podcasts, so you don't miss new content!
We would love to hear from you! Please send us your comments and questions to: AskUs@DTCtoday.com
Cyber Savvy
Cybersecurity's New Frontier for Defense Contractors | Part 1
In this podcast episode, Mike Shelah interviews Amira Armond, founder of Kieri Solutions, about the Cybersecurity Maturity Model Certification (CMMC). They discuss the program's role in protecting sensitive defense contractor information and its impact on cybersecurity standards for government contractors.
The conversation also offers a brief personal insight into Amira's background, revealing her interest in search and rescue work with her German Shepherd, adding a human touch to the technical discussion.
Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!
Mike Shelah (00:00)
Hello, cybersecurity and podcast and social media universe. And welcome to the latest episode of Cyber Savvy. I am your host Mike Shelah and our show is brought to you by DTC. And remember at DTC we make shh IT work. For more information, go to www.dtctoday.com.
And I am really excited about these next couple episodes that you, my viewing and listening audience will get to partake in because we are going to be speaking with my friend Amira, who is the founder of Kieri Solutions. She is a fellow cyber nerd and a longtime subject matter expert in the realm of cybersecurity and happens to specialize now as a C3PAO for the government contracting community and we'll get into what the heck all that means. No, it's not a robot from Star Wars. It is so much more. Amirah, thank you so much for joining the CyberSavvy Podcast today.
Amira Armond (01:07)
Hey, I'm glad to be here, Mike.
Mike Shelah (01:09)
Yeah, this is going to be a great conversation. And for our audience, we are recording this in November. You're hearing it in December. Alot's happened. Yeah, a lot has happened from a cybersecurity standpoint, from a CMMC standpoint in the last few weeks. And I'm sure that that's going to be ramping up how we work with our clients, but let's start with something that I like to call businessperson.
Amira Armond (01:21)
my goodness, yes.
Mike Shelah (01:22)
So Amira, tell us about your company and then tell us a little bit about yourself as well. Pets, you know the things that you do outside of the cybersecurity world, the things that make you a person as it were. But let's start with a Kieri Solutions. Tell us about your organization.
Amira Armond (01:58)
Okay ah well, Carry Solutions founded in 2015. At first it was just me,little wannabe entrepreneur. I had been working in increasingly difficult roles with the government as a contractor. So you know, for anybody who's been involved with the Navy Marine Corps intranet, I cut my teeth there way back in the 2000s and worked on ships, did, you know, highly secure networks, DISA, Navy. So when I started Kiere, I wanted to do basically dangerous migrations, right?
So if, for example, migrating sand, if you do that wrong, the company's dead, or at least they're down for a long time. So I specialized in that and started getting a little bit more demand on the cybersecurity side. So started offering more and more services there. 2019, I was at a conference for the Defense Federal Acquisition Regulation 252-204-7012, which is just a bunch of numbers, right? But it's basically a regulation that applies to defense contractors. And it says, you defense contractors in exchange for the government paying you money to build a PAR to provide a service, you need to do a lot of cybersecurity on your networks. You need to protect our information, which we call controlled and classified information.
And so I went to this conference and I saw, I, it just, it was very lucky because I happened to be at the announcement of the CMMC program, which is the DOD's initiative to force contractors to get third party audited on all of this cyber security that they're supposed to do.
CMMC stands for Cybersecurity Maturity Model Certification. And essentially, from the DOD's standpoint. Hey guys we've been paying you money to do cybersecurity. You say you've been doing it. I'm not really sure if you're doing it. Like indications, not so great. I know it saves you money to not do all of the extra expenses, you know, risk assessments, having a full time CISO on staff.
So we understand everybody is kind of incentivized to do the minimum, but you have to do cybersecurity. And we're going to force you to do cybersecurity. And the way we're going to force you is we're going to set up a private sector, public sector partnership with companies called C3PAOs, certified third party assessment organizations. And they're going to come in and basically assess and certify that you are doing cybersecurity.
If you can't get certified, if you don't do this, you can't win contracts, which is kind of an existential threat to defense contractors. So that was way back in 2019.Um You know Got very, very involved in this new initiative, became one of the subject matter experts, started building a team and programs for helping companies get ready, and also built a team to do the assessments.
And now in 2024, five years later, five and a half years later, to be specific, the DOD made the program official. And it's now, it's now go time. So we're going to be full speed ahead. We're already having a hard time answering the phones. And my company at this point is about 15. people. So we definitely we're definitely growing.
Mike Shelah (05:56)
Wow, that is super cool. All right. So give us a little bit of you when you're not saving the world from bad cybersecurity. What are you doing? Do you like to read? Are you a sports enthusiast? Do you spend your time at museums? You have a dog. Tell us about you as a person a little bit.
Amira Armond (06:20)
So hopefully, of course, I'm a reader. I love sci-fi. I'm a bit of a gamer. I haven't had much time lately, but I can get sucked into the games. But probably the most interesting thing is I do search and rescue with a highly trained canine. And so this is my dog's name is Avi. He's a working line's German Shepherd. He's sable colored.
Mike Shelah (06:40)
Oh wow!
Amira Armond (06:41)
And essentially, I got into it about three and a half years ago. And the, the canines that, that are trained, so they're so effective. They're so good. they can one, one team, you know, me plus one other person for safety plus the dog can replace 20 human searchers.
And especially if the person we're trying to find is camouflaged in some way. They're a hunter, they fell underneath the bush, something like that. We're far more effective because the dog can smell them and find the person. So, I have two quick stories. Way back in 2000, when I was a young adult, I had joined a search and rescue team.
As just a regular ground pounder, you no special skills, I just wanted to help. And I had been called out on search for basically somebody who had had brain surgery and they got up and walked out of the hospital and now they're missing, right? So it's cold, it's winter, very, very severe situation. And so a bunch of us are out there.
Flashlights were checking all the pawns. We're checking all the ditches, right? And we're not finding her, not finding her, not finding her. And I came back to the hospital and I was standing outside the hospital room where she had been. And the first dog team arrived and I'd never seen a dog team in action. And they came up and they walked the dog over to the bed and then the dog pulled them out the door.
Pulled them down the path right past me when a hundred feet turn left and there the lady was underneath the bush where we've been walking past her for two hours and at that point I realized this is incredible so yeah search and rescue it's a if you like to be in the woods in the dark in the rain for a good purpose I highly recommend it there they always need more people
Mike Shelah (09:02)
Wow, that's fantastic. Thank you so much for sharing it. And I think you just reinforced that every one of us has this thing about us that when people hear it for the first time, they're positively delighted by it. And I'm delighted by your story and what you're doing. So thank you so much for sharing it.
You and I could talk offline about the value of that work as well. I have a 19 year old son on the autism spectrum and one of the challenges I know search and rescuers face is if somebody on the spectrum elopes they don't follow typical patterns and so having a dog that can track them down saves lives. That's the short answer. So thank you for what you were doing so much for the community.
So let's go back to our nerddom and I have always said that CMMC functionally has four phases and you are very critically involved in what I refer to as phase three. So I look at it as the business must be assessed. You know, where are you? How bad off are you?
Once that's determined, you need to remediate. So you need to fix and then you are phase three, you come in, you look at the remediation work that has been done and you determine is this up to the standards for certification? Have all the I's been dotted? Have all the T's been crossed? Have you documented everything? Do you have the proper tools in place? Do you have the proper training? And I'll let you get more into detail with that. And then once you have done your part, there's a very critical maintenance.
Which is a subtle thing that I don't believe a lot of the customers think about. So for example, your business, you have 25 employees, your government contractor, you get your certification. One week after certification, Bob quits. Well, there's a very specific process you have to go through to document that Bob quit. And then you hire Mary a week later.
Well, there's a very specific process that you have to go through to document that you hired Mary and what access she has, because if you don't, well, now your certification's invalid. And if something happens, it's gonna mean dire consequences for your company. So tell me your Your experience as that third piece of this series for government contractors. Tell me about what, because you've been in this now for almost since day one, it sounds like. Just talk big picture, what you're seeing out there from a trend stand.
Amira Armond (11:58)
Okay, so this program to protect controlled unclassified information, which to be quite honest, this is very sensitive information, especially for the Defense Department. It's how to build weapons, how to build nuclear stuff, how to build fighter jets, right?
The cutting edge technology that makes the Department of Defense in the United States a leader, you know, and hopefully deters war across the world. A lot of people think that that information should be secret. Some of it should be, right? It meets the definition of secret. The problem is, is that if we make that information secret, we can't build it, right? We can't mass manufacture it because the manufacturing and the amount of people involved, just, it makes it impossible if we limit it to somebody inside of a small dark room, right?
So that's why we have this separate category of very sensitive information that we have to protect, but we also have to share it throughout our supply chains. And there's about, estimates are there's about 80,000 companies in the United States and also worldwide that have to work with this information in order to build parts, provide services.
Now, a lot of them, now here's the thing. The expectation for cybersecurity is very, very high for these companies. It's very high. It's like if we've got, you know, government, as the very highest level of cybersecurity, you know, and they've got tons of full-time cybersecurity people for every network. And then we've got maybe financial institutions right below that. Right, Right below that or maybe even above the financial institutions are the expectations for these 80,000 defense contractors.
So, you know,Bob's machine shop with your 30 employees, you have to have cybersecurity that's like T-Row price. You know America, right? Like this is not an easy thing. And there are ways of making it easier. If you work with a company that's done it successfully several times, then it can be easier.
But, you know, typically just to kind of give you an idea of the effort and cost involved, a 100 person company will normally have one full time IT person, right? The CIS admin who sits in the room, right? And maybe they're playing Counter-Strike a little bit on the side when they're bored. When you need to start doing all the requirements for CMMC to protect this controlled unclassified information.
You're typically going to need to add two more people full time to staff, a cybersecurity expert and then another cis admin type to do all of that extra tasks like onboarding people following a very strict process, offboarding people, keeping records of configurations and baselines and inventories, doing patching as fast as you can.
Performing risk evaluations and vulnerability scans on a schedule. So that's that’s a lot of extra costs. Now the good news is, is the DOD is up for paying that cost. If you ask them, they're like, we would rather pay all of these defense contractors to have more staff, more expensive systems than to keep losing the information to adversaries because there are certainly...
exfiltration efforts going on to get that sensitive information but the defense contractors still need to do what all contractors have to do which is have the lowest price technically acceptable contract so if you're the only defense contractor paying for those extra two staff and all the rest of the contractors next to you aren't doing cyber security
they're going to have the lowest price, right? Hard to compete against them. So this assessment, this forced assessment ecosystem where you have to be a third party assessed in order to win the contracts, that actually forces every single one of the competitors to pay for those plus two people as well. And now we have an even playing field where the contracts can be awarded properly.
Mike Shelah (16:36 )
I love that. That is a great explanation of what's going on because I haven't been at this quite as long as you. want to say that I started swimming in the CMMC pool mid to late 2020 and ended up working with a handful of government contractors at the time.
And you've you've reinforced a lot of the things that I'm hearing out in the marketplace. You know, one of the things that I hear is, oh I don't have any confidential information. It's like, well, you know where the base is. Is that where you're delivering it? Well, guess what? That's confidential information. It's one very small piece. But when you start to look at it that way, it's really easy to understand.
And again, I know you can appreciate this. There have been cybersecurity standards for a long time. HIPAA was created what, like 1999 or something like that? And 80 % of doctors don't follow that. Don't even come close. PCI for the credit card industry has been around almost as long. it, arguably it's the easiest of...
the cybersecurity plans to follow out there. But 90 % of businesses that use credit cards as part of their monetary transactions, they don't follow PCI. Or worse, they say, well, my credit card company handles that. And that's the conversation that the CEO of my company, Steve, and I were having is one of our clients pushed back on him and said, well, I don't have to worry about that because my software vendors are handling that.
He very bluntly said to the customer, have you read your terms and conditions? And that gets back to CMMC. And I think what CMMC is doing a very good job of is placing the responsibility squarely back upon the actual business itself. Saying, look, I don't care how many vendors you have, you're going to take responsibility for this and we're going to start to see a cascading effect.
So the primes, for example, are now going to their subs and saying, well, you need to do this because it's required of me. And I'm not going to have you cost me a $10 million contract. So, you know, I'm curious to hear your thoughts around what you're seeing out in the landscape today.
Amira Armond (19:15)
For sure. So, CMMC is, like I said, it's one of the most intense cybersecurity frameworks, you know and it's based off of a NIST publication number 800171, which has got 110 security requirements. It is more intense than SOC 2.
It's way more intense than 27,001. Okay, so if your company has gone through those, good. You still got a lot more to get ready to pass a CMMC Level 2 Assessment for CUI, unfortunately.
Now like you mentioned, one of the key parts of the CMMC program is we assessors are trained that the organization is responsible for their vendors. So you can't just say, I threw my information over to somebody else and now it's their problem, right?
They are responsible for making sure that if it's a downstream subcontractor that that subcontractor is in compliance, right? And unfortunately, we're still kind of in the days of self-attestation, right? Are you compliant? Yeah, I'm compliant. Okay. I swear, right? Please sign on this paper that you really are and then I'll share it with you. And that's what everyone's been doing for years and years. And that's how the government's been doing it to contractors, right? It flows like that. But we are going to get to that certification stage where it's going to be, well, okay.
Show me your cert before I give it to you, before you can be on my team. You have to show me that cert, which is going to fix a lot of things. In regard to other vendors you know, your managed services provider for your outsourced IT if you're a small company or maybe you're using a cloud to store your information, Microsoft 365 or AWS for example.
It is 100 % on the contractor whose information that they're putting out on that cloud to make sure the cloud or that provider is fully secure basically at the same level as them.
Depending on very- there are rules, there's scoping guides. We do have guidance from the Department of Defense on what applies to what. But there's definitely no allowance for just flinging it out saying, okay, it's somebody else's problem. I don't know where they are. They could be in Pakistan, right? I I just don't know. They could have their doors unlocked. I don't know, right? Not my problem. That's no longer gonna work.
Mike Shelah (21:55)
I think that is a great place for us to wrap up this episode.
And then in the next episode, we're really going to get into some of the more, I guess, field experiences that you've had. So Amir, this has been great. Thank you so much to our viewing and listening audience. Thank you for tuning into the Cyber Savvy podcast, which is powered by DTC. You can learn more at www.DTCtoday.com. And remember at DTC, we make SHHH IT work. Thank you for listening.
Amira Armond (22:25)
Cheers.