Episode Guest: Shawn Robinson
Episode Host: Jerri L. Bland, Ed.D., Cloud CIO
Jerri Bland: [00:00:00] Hello and welcome to the first Cloud CIO podcast. My name is Jerri Bland with Cloud CIO. My mission with these podcasts is to share the expertise and guidance of industry professionals to help you maximize your technology investments, improve customer service, and increase revenue. I’m pleased to have as my guest today, Shawn Robinson, a principle with Cloud Eye Consulting.
Shawn Robinson: [00:00:24] Hey, good morning, Jerri. Thanks for having me on your show.
Jerri Bland: [00:00:27] Glad to have you. We’ll tell our listeners a bit about yourself .
Shawn Robinson: [00:00:31] Yeah, sure. Thanks. My name is Shawn Robinson. As Jerri mentioned, I’m the managing principal for Cloud Eye Consulting. We are a technology consulting company based in the Charlotte, North Carolina area.
We focus primarily on medium and small sized businesses helping those companies to analyze their technology and how they’re using it to enable their business and come up with solutions to help them further enable their business with these technology solutions. So I have about about 28 years of it networking and security experience. Started out in the military and just transitioned from there into a different professional roles working with telco companies and then moving into financial services from there before starting Cloud Eye Consulting
Jerri Bland: [00:01:23] Excellent. Well, I’m definitely looking forward to our conversation today. Now, when we first started talking about the idea of the new cybersecurity certification process that is now part of federal contracting, I don’t think either of us envisioned a world where COVID-19 would so drastically alter our daily lives. But I gather much of what we’ll talk about today and what you’ll share with us is potentially even more vital as so many businesses and organizations have made rapid transitions to a mobile workforce or enhancing their virtual engagement with customers.
Shawn Robinson: [00:02:01] Yes, absolutely. A lot of the requirements around the CMC will not only be applicable to federal contractors who are doing work with the federal government but also private businesses will be able to take advantage of this same framework and apply it to their business as well to help them make risk based decisions around their technology and security.
Jerri Bland: [00:02:25] You mentioned the acronym CMC. What does that stand for and what is that about?
Shawn Robinson: [00:02:29] CMMC is the cybersecurity maturity model certification. The DOD under the guidance of – the lady’s name is Katie Aronson – they’ve come up with this framework that they’re requiring of federal contractors to be in line with this framework.
Prior to the CMMC, federal contractors were able to self-certified their security. But as we’ve had additional compromises with the federal supply chain, DOD is basically trying to sure up the federal supply chain from a security standpoint by requiring any contractor who’s doing federal work to have certain levels of security in place. So the CMC basically consists of five levels, levels one through five, and I believe there’s a total of about 180 different controls within that. So from what I understand right now is they’re looking for, the majority of folks are gonna fall between level one and three for security. So this tool is going to allow businesses to understand where they are, be able to create a roadmap to get to where they need to be to ensure that they are securing what the government calls, critical unclassified information.
So if you do lawn maintenance on a military base, you may have a map of the base. You might not think that that’s something that is critical, that needs to be secure. But when you’re talking about nation state actors, that they can get access to that type of controlled unclassified information that will allow them to have some more visibility into a particular installation.
So things like that, that a lot of people might not necessarily lead you to have the highest level of security, like you’re dealing with top secret information, not to that level, but you can get that information and you can make what they call inferences from that data there and gain further information.
Jerri Bland: [00:04:52] So people who are new to learning about the CMMC process, what are the most critical elements that they probably should focus on.
Shawn Robinson: [00:05:03] For most companies that are dealing with the federal government, a lot of them are not tech savvy. So certain things that I would be advising companies to do as they start this journey to get involved with CMMC is they need to have somebody on their staff that’s a certified security professional, somebody that understands security and how to put the controls that are going to be required in place. One of the other things they need to do, they also need to be careful about the vendors that they select, because this is a new standard that’s coming out.
So there’s a lot of what I would call snake oil salesmen out there that are purporting themselves to be CMC experts and they can get people certified to level five and this data the other, right. Even though the CMC. Itself is still in the draft process. The accreditation body is still working to finalize the entire accreditation process. They don’t have the assessors and everything all in place , so understanding that and then also looking at understanding how you will maintain compliance going forward because it’s not a onetime deal.
Federal contractors need to be adhering to NIST 800-171 that is the current standard that’s in place. CMMC is going to be replacing 800-171. So it’s scheduled to begin to roll out in June of this year. But now with this COVID-19 situation, I’m not sure if that is going to change, but from what I’ve heard , it should not change.
It should still be rolling out in June. It should start being applicable in June and the longterm goal is to have complete rollout by 2025 because you have to keep in mind that there are contractors already who are under government contracts. This is not going to be retroactive. So they are going to still, be under 800-171 until their contract runs out. And then if they are going to renew that contract, that’s when they’ll be under CMMC and no longer doing that self certification.
Jerri Bland: [00:07:33] Earlier, Sean, you mentioned , in order for businesses to begin to prepare for this certification, that they may need to have somebody on staff that has the ability to help prepare for certification.But what if they don’t have the budget or the ability to hire someone that has these skills? What do they do?
Shawn Robinson: [00:07:54] Well. So there’s a couple of things that they can do, Jerri. I would recommend for, a small business that does not have the budget to hire a security professional full time, they can opt for what you would call a fraction or a virtual CISO.
So that would be basically a security professional that they could bring on an as needed basis to help them to understand what their current state is in relations to the CMMC or the NIST 800-171 and then help them to begin to develop the plan or the roadmap to get to their desired state.
So they can utilize someone on a part time basis that can help them come in and understand things like how complex their current infrastructure is, because most companies are going to be outsourcing their IT to like an ISP or some sort of vendor. So that security professional can come in and help them understand how complex their current environment is, how secure it currently is, and help them identify what CUI they have – when I say see you, I mean control unclassified information- help them understand what CUI their organization is handling and then also help them understand what level they’re at.If they’re at one they can do an assessment for them and then say, okay, you’re at one, we want to get to three, and this is how we’ll get there.
Jerri Bland: [00:09:34] So people should not assume that because they’re outsourced or because they’re using cloud services, that they are necessarily meeting particular gates for certification?
Shawn Robinson: [00:09:49] Correct. You would need to have someone to assess your security. So a lot of times. Companies make the assumption that, okay, well I got this company X doing my IT services so they are securing my environment. That may not necessarily be the case, even though they may tell you that they are, unless you have some external third party come and actually assess that and validate the security of your environment, you don’t know that to be so.
Jerri Bland: [00:10:23] And so thinking about hiring an outside consultant or an outside CISO to look at your environment, what kind of budget impact is that? And how long would you suspect that this type of engagement should take.
Shawn Robinson: [00:10:39] Well, I’ll give you the consultant answer. It would depend. It’s going to depend on a lot of, it’s going to depend on a lot of factors. How organized is the organization already? If the company has a good, clear framework and set up that they’ve been using to help this customer in their IT, it may not take that long for a professional to come in to do an assessment with the company, identify any gaps and then work to remediate those gaps. But if, they’re a smaller company and they’re dealing with a smaller service provider who may not necessarily have all of the right people and processes in place themselves.
That security professional may come in and identify a whole host of gaps in that business’s security posture. So then it will take, it will take longer. It’s going to depend on the company where they are currently and where they’re trying to go. That makes sense to you?
Jerri Bland: [00:11:53] It does. It does. And I’m assuming, thinking about this from the small business perspective, even if you are potentially a sub on a contract, so you’re working with a prime vendor lead vendor and you are upset contractor, you’re still required to meet those particular aspects of certification, or does that only apply to the prime vendor.
Shawn Robinson: [00:12:17] That is going to apply to the sub as well. Most, most prime vendors are going to push that requirement down to that self contractor. Because at the end of the day the prime is going to be ultimately held responsible for a breach. If that controlled unclassified information is accessed by someone that it shouldn’t be. So that prime is going to be held ultimately responsible. So it’s in the best interest of the prime to ensure that the requirements are filtered down to the subcontractor.
Jerri Bland: [00:12:58] as people really start thinking about what their plan is to move forward with certification, they will potentially look for a consultant or potentially hire someone in house to help them achieve certification. What are those things that they might need to look for and think about as they are trying to identify who to select to help pursue the certification.
Shawn Robinson: [00:13:25] Yeah, so I think, so w one of the things I would say is that that’s where having that security professional on staff, whether it’s full time or part time, is going to help that business out. Because that person is going to be able to identify what products or services make sense for a business to bring in because there’s going to be a lot of companies out there that, as I mentioned, we’re going to be trying to sell you services, that we can do all of this in relation to CMMC. Right. But not necessarily being truthful with the business, right. Because a lot of salespeople. They use what we call foot, right?
Fear, uncertainty, and doubt to get people to buy product so that, Oh yeah, security professional is going to be able to help you cut through a lot of that fear and uncertainty and doubt. And if you’re looking at, for example, if you’re looking at, Oh, okay, having a managed security provider, do your security.
For your business. And they say, okay, we can do your security inline with cm MC level three. Right? One of the things I think that, that, that business and then that security professionals should be asking that business that’s going to be doing that manage security for them is, you know, making sure that they have.
Clear and measurable service level agreements with that vendor so that they can understand how the services aligned to the controls within the CMMC. You want to make sure that you have tight contract language with those vendors. And you also want to understand, like, how is that managed service provider doing, doing security internally? What security frameworks are they utilizing? So if you asked the question of a managed service provider, like what security framework does your organization fall under, right? You would hope that they would say they use the NIST cybersecurity framework or they’re using ISO 27001. They will be able to clearly articulate to you what security framework they have in place, and if they are not able to articulate that to you as a business, that would be a red flag to not do business with them, in my estimation.
Jerri Bland: [00:16:19] So where does the business find more information about the security frameworks and what they really should ask for when searching for a consultant or someone to help with their security?
Shawn Robinson: [00:16:34] well, there’s a lot. There’s a lot of information that is online, Jerri,and I can, if you want to, I give you some links after the show that you can link to the show notes where there’s a lot of free tools out there for people to start the journey on their own. Just that they can have like a base idea. Again, the intention never be for the business owner themselves to try to implement the CMMC framework. They should have a competent advisor on hand to help them do that. So that competent advisor, I would say, would be somebody that would hold certifications like the CISP, which is a certified information security professional, or the CISM, which is a certified information security manager, or the CRISC, which is a certified in risk and security control. Someone that holds those types of certifications, they’re going to have the requisite years of experience and understanding of cybersecurity to help those customers meet the objectives of seeing CMMC.
Jerri Bland: [00:17:53] . Well, I definitely appreciate your time today, Sean. I hope our listeners have been able to get a really good idea of, , the beginning of the foundations for the CMC M M C certification and what it means potentially to their business. And their goals for potentially sewing future DOD contracts. So as we approached the end of our time together, can you tell our listeners how they can contact you if they want to talk more about this particular topic?
Shawn Robinson: [00:18:21] Yeah. Thanks Jerri. So you can reach me, , on LinkedIn. Dee Robinson on LinkedIn or cloud. I consulting on LinkedIn as well. Also, you can find us on Twitter at cloud. I consulting on Twitter, Twitter, so if you reach out there or you can email me if you want to have an email conversation is Sean dot Robinson at cloud, our consultant.com and I’ll definitely be willing to reach out and connect with anyone who needs help.
In regards to the CMMC.
Jerri Bland: [00:19:00] Well, thank you for so much for being with us today, Sean. I hope we’ll have an opportunity to talk more about security topics in the future.
Shawn Robinson: [00:19:07] Yes, absolutely. Jerri, thanks for having me on your show.
Thank you. This is Jerri Bland with Cloud CIO. If your organization needs technology strategies, processes, or solutions that deliver results, schedule an appointment with Cloud CIO today. Thank you for listening. Be safe and be well.