Understanding CMMC Requirements with DefCerts CEO Ryan Bonner | Part 1

Show Notes

In this episode,  Mike Shelah, host of the Cyber Savvy Podcast, interviews Ryan Bonner, CEO of DefCerts, for an insightful discussion about cybersecurity and CMMC in government contracting. The conversation explores how cybersecurity has evolved from a luxury to a business necessity, common misconceptions in the industry, and the challenges organizations face in meeting security requirements. Ryan shares valuable insights from his extensive experience in the field and hints at important changes coming in 2025 that will affect government contractors. 

Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!

Transcript

Mike Shelah (00:00)
Hello everyone. And welcome to the cyber savvy podcast. am your host, Mike Shelah technology consultant with DTC. And today's episode is powered by DTC to learn more about us. can go to www.dtctoday.com and remember at DTC, make IT work. All right. So I am excited to have our guest on for these next couple episodes.

Mr. Ryan Bonner is the CEO of DefCerts. He is a man that is frankly quite brilliant when it comes to not only cybersecurity, but the CMMC landscape and what's going on with government contractors out there. So Ryan, thank you so much for joining this Cyber Savvy Podcast.

Ryan Bonner (00:51)
I'm really excited to be here.

Mike Shelah (00:53)
Awesome. Awesome. So I like to start the show with something called business person, meaning, yeah, yeah, we're cybersecurity people and we're dealing with the government contracting space and we're doing a lot in the business to business world. But ultimately you are a person. I love to hear something fun or interesting or unique. You know, our last guest told us that she was from Maine originally. So she was a Maryland transplant.

The guest before that told me that for fun, she has a rescue dog and she helps with rescues out on the weekend. Literally rescuing people that have gotten lost out in the woods and stuff. So I always find out fascinating things about my guests. Tell me something fun or unique or interesting about you, Ryan, when you're not protecting the world from cybersecurity threats.

Ryan Bonner (01:43)
You know, I've sort of settled into somewhat of a boring lifestyle in the last year or so we had our first child. And so I'm just like setting lower expectations and thinking more about like, you know, routine and things like that. But, know, before that, you know, I would say that a big part of my growth and learning path in the professional world.

Mike Shelah (01:55)
Congratulations.

Ryan Bonner (02:13)
has come from looking for a second job that I can do while I'm working a regular gig, a full-time gig, whatever that might be, so that I can pick up new skills and things like that. Thankfully, now that I'm running DefCert and behind the helm of that, I can create a second job for myself anytime I want inside my own business.

But before that, I had a lot of fun in prior careers working a volunteer gig or just working a second job that would teach me something new and exciting. so I've had a lot of great experiences in those second jobs where it's not as high stakes. It's not really where your main source of income is coming from, but you can learn something new. so that was always fun for me, learning how to

weight tables, learning how to install car stereos, whatever the thing might be that just would let your brain solve a new and unique set of challenges so that you didn't feel like a dried out husk every day leaving your main gig.

Mike Shelah (03:25)
Ryan, I absolutely love that. This past summer, I went back to something that I absolutely loved when I was in college, which was working at a restaurant. And I only did it a couple nights a week. But I appreciate that because it's very simple. It's very direct. You know what you've got to do. It's a lot of hustle. It's a lot of doing without thinking and being strategic. It's a lot about being nice to people and interacting.

so I absolutely love that. That's one of the many passions that you split and volunteer work as well. So that, that is fantastic stuff. So let's set the table here, Ryan, about 15 years ago, I was working for a nationwide telecom company that gave me my first doorway into cybersecurity. So I was working for a company that one of the tools in our product set.

was doing compliance assessments for prospective customers. And I love that because up until that point, I was the guy that walked around saying, hey, you want a cheaper fiber connection for your business? I'll save you 10 % on your bill. It was a very transactional conversation. But I felt like entering the cybersecurity world now gave me an opportunity to truly solve problems and address needs.

of my clients. And I'm curious, you know, how did you become involved? What brought you into the cybersecurity world and when?

Ryan Bonner (04:57)
Yeah, and I think that for me as well, I started out in the world of technology in much more commoditized ways, we'll put it that way. I worked for telecom, I worked for AT &T, and this is when all sorts of new technology was entering the space, the iPhone, like brand new invention, smartphones, apps, what does that do for us? And it put this huge focus on the cloud.

because you, for the first time, needed to have capabilities and more data travel with you. It wasn't just going to be on your work computer. It needed to be on your mobile device and things like that. And so I saw that cloud transformation start to happen. Then I moved into managed IT services. And in doing managed IT services, I started to see cybersecurity be kind of a luxury that has

since become more of a standard staple that you have to have. It's just part of the cost of doing business now for a lot of organizations. And so while I was working in managed IT services where cybersecurity was becoming more prominent, I was tapped on the shoulder to be part of a new program. I'm in the state of Michigan and every state has something called a NIST manufacturing extension partnership program or an MEP program.

Mike Shelah (06:19)
Mm-hmm.

Yeah.

Ryan Bonner (06:21)
And this is sort of the outlet for the National Institute for Standards and Technology to sort of promulgate like any manufacturing best practices that they are currently working on standards for. And NIST also writes all of our nation's cybersecurity standards adopted by government. And so in that overlap, NIST had developed this new draft document that wasn't public yet called Special Publication 800-171, which is the de facto standard now.

for safeguarding controlled and classified information. And I was asked to start reading this document and start thinking about how you could interact with manufacturers and start to assess whether or not they were doing the things that were described in this document. And so pretty quickly I noticed that a lot of people in the space were leaning on prior experience. know, well, we had experience with SOCs or HIPAA Hi Tech or PCI DSS.

can't be that different. And I was reading it and saying, this is very different. And so slowly, I just started to be the only person who was doing the reading, like who was actually doing their homework on these new requirements. And that provided me an opportunity to start doing work for NIST MEP programs in several states. And that's really a big part of how I got into this space full time.

starting DEFSERT focused almost exclusively on these data safeguarding requirements for government contracts.

Mike Shelah (07:57)
All right, you said so many wonderful things in that. I want to go back to right at the very beginning that so many people you talked to saw cybersecurity as a luxury. And unfortunately, I think particularly for the small and medium business market, know, that five to say 150 employee company, that's still very true.

You know, the number of businesses that I've spoken to that when I asked them about their cybersecurity, they go, we have that taken care of. And I go, what does that mean? And they just sort of get this odd silence and like, my IT company takes care of that for me. And unfortunately, often means that they set up a firewall.

They turned on the antivirus and put on the activated Windows Defender and said, know, Hey, Mr. customer, something breaks, us. that's, that's, that's challenge number one that I see out in the marketplace. Challenge number two is a big box organizations. I won't name any, but one of them rhymes with mom cast that has this, you know, this security that they add to their wireless devices for small businesses.

And so the business goes, I set this up and now I'm secure. Or again, they've just, they've put their trust in a very small IT company that's not taking a cybersecurity first perspective. I was just having this conversation yesterday. You know, when's the last time you walked into a doctor's office and the doctor sits you down.

or the nurse sits you down after taking your blood pressure and all of that. says, okay, the doctor will be in in five minutes. And it's never five minutes, you it's 10 minutes, it's 15 minutes. And all of that time in the corner is a computer, an unlocked computer, and all your data is just sitting on it. Which means that anybody could walk in with a USB or, you know, just send stuff to a cloud somewhere else. And, you know, they've now broken the protocol of that organization.

So I think we're better off than we were, but there's miles to go before we sleep, isn't there, Ryan?

Ryan Bonner (10:24)
Yeah, and you know, I think that some of the things that you just described, small business saying, you know, I think I'm covered there or I, I know I have some things that keyword match the category you just described. You know, that's, that's an education issue to where business owners, when they're faced with a new emerging category of something they haven't had to care about, how would they have subject matter expertise, right? How would they know?

Mike Shelah (10:51)
Yeah, excellent

point.

Ryan Bonner (10:53)
what a good outcome looks like. And I think that's an inability for business owners to describe the outcome they're looking for or to know how to impose good requirements on their organization and make sure that they're protected. It's just, you know, it's a disparity in the ability to describe what you need and what you want. And I think that there's also just a general problem with people.

understanding the completeness of their situation. Yeah, my internet service provider claiming security has WPA3 available on my wifi access point. Fantastic, congratulations. What about the rest of your environment? And it's buying these spot solutions that only address a few percentage points of the overall need. And you've got these massive gaps in your requirement. It's like someone buying a

a security alarm system and they just, they just have the keypad and one door sensor. And they're like, I have security as a category. I have it, but they're not thinking, well, what about the window sensors? What about the other doors? What about this, that, and the other? And so they haven't thought about how to make sure that the, claims that they're making are true throughout the places where they need to be true. And that's

That's the big rude awakening I think that is coming for a lot of organizations when it comes to CMMC. They have something over there, they have a little bit of this over there. They have not synthesized it into a complete understanding of how true their claims are and at what scale or scope.

Mike Shelah (12:36)
Ryan, I love the home security analogy. So very early in my sales career, back in the 96, 97 as a young 20 something year old man, I sold ADT's home security door to door. And it was a straight commission sale. And I remember that like our shtick, because unfortunately all those companies had a shtick, was they would call up people and say, you've been selected to receive a free home security system. All you have to do is pay the monthly monitor.

And we did just that. So we installed a keypad and we were to solve two door window contacts, one for the front door, one for the back door. But the real sale was us telling them about total protection. So, you know, having the connected fire smoke alarms, having the passive infrared system that scan the entire room, adding door and window contacts to every door.

and then what that looks like. that's a wonderful analogy because as you alluded to, Mist 800-171 is exhaustive. It's comprehensive. When I talk to people about that, I tell them there were 110 control requirements that go into this. And as I'm sure you're going to share with us during these conversations is,

There's more than one way to scan a bunch of those cats. It's not simply a matter of I have this, box is checked. It's almost a cascading effect. You have done this, so that impacts control 10 and control 27 and control 45. So again, you deal with this every day. Sort of give us the outline of 110, of those 110 requirements. Again, we've got 20 minutes.

you

Ryan Bonner (14:32)
Yeah, I think that when you think about the way that NIST 800 and 171 is structured, it's difficult for a lot of people to approach because people tend to have their comfort zones, for lack of a better term. And so if you are not in IT, maybe you're an operations person or the owner of a business, whatever it might be, you're going to focus more on what are the most expensive parts of this equation.

Mike Shelah (14:44)
No.

Ryan Bonner (15:00)
who has to be responsible for doing some of these things. You tend to gravitate towards the, documentation requirements. And you see people kind of oversimplifying it as it's just, I just need to have a bunch of policies. I know I already bought IT. I know I already have some security. I must just need the thing I know I don't have, which is policies on these topics. And so then that's kind of where they, they camp out and they stay in their comfort zone because maybe, maybe they've had to do documentation work before. Maybe they have a quality management system.

Mike Shelah (15:12)
Checking the box.

Ryan Bonner (15:30)
already operating in their organization. So they're gonna live over there. Then you have people who come in who are IT focused and they're like, show me the requirements that have to deal with tooling and security tools and specific configurations and things like that. And they're gonna lean hard into that. And they're gonna say, maybe there's some documentation burden but I'll worry about that later. I need a SIM.

because I see these audit and accountability requirements. I need vulnerability scanning tools because I see these risk management requirements. I'm going to need allow listing because I see these configuration management requirements for software. The list goes on. And so what I think most organizations need to do is zoom back out and identify that it's a both and equation here. You you've got a mixture of

non-technical requirements that are high level policy setting and governance. Some of them are very operationally grounded day-to-day activities. And then you also have these IT system requirements. Some are static, like you just need to do this one-time work to have this desired system state, know, screen locks, whatever that might be. And then you've got these ongoing IT tasks that are much more operational. You need to, you know,

be doing these types of monitoring or checking on whether these security controls are still correct or respond to an incident in this way. And so it's very broad based from that perspective. It sort of dabbles in both camps, you know, where other IT security compliance requirements and things like that mostly stayed either completely like in the policy and operations side of the house. thinking of like an ISO style standard.

or became very tactical at a technical level, like something like PCI DSS, this is much more coverage across those different practice areas. so NIST 800171 is, it introduces a lot of stress to organizations who haven't had to manage their IT and security and business operations and policymaking.

And governance activities, like in one unified view, all of a sudden parts of the brain that didn't talk to each other now all have to work in concert. And so that can be very difficult for organizations.

Mike Shelah (18:07)
Yeah, I love that explanation. One of the examples that I like to give about the impact this has is company hires Bob. Bob's going to get a company laptop. So depending on Bob's job title, he will have access to certain applications. And the device that he's given will have certain software loaded on it. That device will also have certain privileges. So the CIO

has administrative capabilities with the company, but Bob, who's just working in the accounting department, does not have administrative capabilities on devices. And on top of that, that needs to be documented. Because should Bob be promoted and now is the director of IT reporting to the CIO, well, his access and capabilities are going to change radically.

And that's a common thing that people get promoted, you know, based on marriage and showing. So what was okay for Bob last month is not okay for Bob next month for different reasons. He has new accesses. We've closed off other accesses. And that's why when I talk to a business, I want to start with the owner or the president or the CEO, because I like to tell them, I understand you think

This is a technology problem. But I want you to understand this from a revenue and a brand problem. Because yes, there is a cost associated with this. And we're going to get a little into that in the second segment about the uphill climb financially, as well as time commitment to do something like CMMC. But it's pennies on the dollar compared to the consequences.

that are out there. know, CMNC, in my opinion, is a game changer because this is the first time that they're putting it at the front of the cart. Like this is now a barrier to entry for businesses to do business. Whereas everything else up until now has been, okay, are you doing this? Yes, I'm doing this. Okay, you said you were doing this. We caught you not doing it. So now we're going to impose all these fees and fines and requirements.

And we're only going to need 30 days to do all of this. So it's a hot scramble and you're going to spend a ridiculous amount of cash. I'm guessing you've seen similar things in the marketplace.

Ryan Bonner (20:37)
Yeah, you know, there's definitely a need for organizations to justify something like this. You can't just walk into an organization and say, you need CMMC because what, I said so? You know, there's a real set of cognitive bias inside of every business owner's brain, myself included, where

you're going to gravitate towards the things that are more pressing for you, feel more painful, things of that nature. One of the things we deal with constantly is survivor bias. The last time someone yelled at me about cybersecurity, I didn't lose the customer. I didn't go out of business. I wasn't debarred. So it's not going to happen next time.

It's the same thing as people in London, you know, during World War II, during, you know, German bombing. You know, the bombs didn't kill me last time, so maybe I don't go to the bomb shelter this time. Maybe I just stay out. And the problem with survivor bias is the people who died aren't around to warn you. So you have no negative storyline, no negative account of bad things happening. And

this idea that maybe I'll be okay. The number of organizations who won't tell you the reason they had to shut their doors was because of a ransomware attack. There's quite a few people out there that don't want to admit that that's what put them out of business.

Mike Shelah (22:16)
And they don't make the front page of the newspaper because they're not a big name like Target or P.F. Chang's, right?

Ryan Bonner (22:21)
Yeah, yeah, exactly. They don't have the funding to recover. And so by that same token, you're not going to have people telling you, the reason I got out of government contracting, particularly defense contracting, was because I could no longer bid. They're not going to say I lacked the foresight to get ahead of this and to stay in the game and maybe even improve my position. They're going to say, they're

Mike Shelah (22:25)
We're just going.

Ryan Bonner (22:48)
bunch of jerks, whatever the rationale will be, and you'll never know that that's what happened to them. And so from that perspective, I think that when you walk into organizations and try to say something as brash as you are going to need CMMC, you better have some rationale behind that. You better be able to explain the objects that are in motion and

Mike Shelah (22:52)
Yes.

Ryan Bonner (23:16)
They basically show organizations that these other contracting mechanisms, these other government regulations that you are familiar with, that you have had to adapt to, that have posed existential threats to your continued existence as a government contractor, those same mechanisms are now being used on the topic of cybersecurity. That's the reason why you need it.

Mike Shelah (23:39)
Yeah, very well said. I love the survivor bias commentary because in my experience, so I have been selling some flavor of cybersecurity now for 10 years to businesses. And I would say about 70 % of the people I end up doing business with is because of one of two things. One, something bad happened that didn't kill them.

but it caused enough pain. said, I don't ever want to go through that again. Or they had a near miss. My largest client a few years ago, property management company with 200 employees, I had spoken to their president early on in my tenure there. And she was like, oh, we are looking into that, but my CFO is really handling that.

And so I sent an email to the CFO and I sent another email, I sent another email, another email. And I didn't even get a polite no thank you, I was just ignored. So, you know, being a good little salesman, I put that in the tickler file and I march on to find other opportunities. And six months later, that opportunity comes back. Well, I come to find out they were literally this close to wiring $10,000 to a hacker.

only reason it got stopped is because the dollar threshold triggered something at their bank and the bank called the CFO to say, are we really supposed to be sending this money to this vendor that you've literally never done business with before? And that was when they said, wow, okay, there's something, our one IT director really can't effectively manage the cybersecurity of our 200 employees and our 500 endpoints.

Ryan Bonner (25:30)
Yeah, that's totally valid too. mean, you when you've got a situation like that where you have that near miss and you can decompose it for like what happened, what went wrong, that can be a real wake up call for organizations. And so I think that, you know, I've had the unfortunate experience of helping companies go out of business because

of something like that happened. I've had the unfortunate experience of explaining to someone that they wired money to the wrong individual and that money's gone now. And that definitely is a terrible feeling. When we think about the elements of that that might not exist in the defense contracting space, most of the nation state actors

who are trying to exfiltrate this data don't want you to know that you've been had, that you are the victim. And so they're very polite. They clean up after themselves. They will quietly move in and exfiltrate the data and sit in that environment and wait for more to arrive. And they're not going to bludgeon you over the head.

Mike Shelah (26:53)
They're not going to demand money. They're just collecting their data. It's like

a monthly paycheck.

Ryan Bonner (26:57)
Yeah, yeah, exactly. And so there are some elements of defense contracting that the traditional

You know, I guess marketing messages around preventing negative outcomes just don't apply in this situation. And so it becomes more of an issue of, you know, what, what will motivate a contractor to take this seriously and address the issue. And it's going to be education on, you know, why these things matter and why they are integral to the continued existence of your organization.

but then also how these regulatory requirements grounded in an understanding of these threats and risks are also an existential threat. Like I don't, I'm not one of those people who plays identity politics and grandstands about like, you need to do this because you care about your country. Like I'm looking at business owners and I'm saying, there's a really good chance that one of the, like one of the biggest threats to you.

is regulation. Like, and I'm not saying that the regulation is bad. I'm saying it's a slow train coming and there there will be negative outcomes for people and there will be positive outcomes. Yeah, yeah. So are yeah, are you getting on the train or are you laying on the tracks? I mean, like you have a choice here.

Mike Shelah (28:11)
slow but steady and not stopping.

I think that is an excellent place to wrap up this segment. And I cannot wait to dive in for with you, CMMC in our next conversation. So Ryan Bonner, thank you for joining us to our viewing and listening audience. Thank you for tuning into the Cyber Savvy Podcast. Be sure to come back for the next one because Ryan's really gonna get into the nitty and the gritty when it comes to CMMC.

and what's going on and what radically changed on December 16th that is sort of making this an all hands on deck conversation for 2025. Thank you all so much for tuning in.