Cyber threats are growing every day, putting your company at risk. That’s why I want to tell you about the vital new episode of Stimulus Tech Talk with cyber expert Leia Kupris Shilobod. She shares insider tips to lock down your systems against cyber attacks.
Stimulus Tech Talk: Compliance Unveiled: Navigating the CMMC Landscape with Leia Kupris Shilobod
Understand the Complex New CMMC Regulations
Leia is the CEO of Compliancy IT, a leading provider of Cybersecurity Maturity Model Certification (CMMC) compliance services. She has authored books and produced films on cybersecurity. In this episode, Leia breaks down the complex new Department of Defense CMMC regulations step-by-step.
By December 31, 2025 contractors must comply with CMMC or lose their DOD contracts. It starts with understanding the levels of certification required based on your access to Controlled Unclassified Information (CUI). Leia explains how you’ll need to implement security controls, get audited, and gain certification.
CMMC Reaches Beyond Prime Contractors
We learn how CMMC reaches beyond prime contractors to subcontractors. Leia reveals that IT managed service providers (MSPs) for defense contractors must also get CMMC certified. This will require major improvements in MSP security controls that Leia details. She candidly assesses gaps many MSPs need to urgently fill.
Get Ready Now to Meet 2025 Deadlines
Leia maps out a timeline for CMMC readiness in 2024 to meet 2025 deadlines. She shares tips like conducting annual security assessments now. Leia explains pitfalls to avoid so you can successfully implement controls.
"There are hundreds of false claim cases in backlog with the Department of Justice. That's how many claims have been made about organizations that made a statement about what they were doing, and that they're actually not doing it. The Department of Justice takes this very seriously."
– Leia Kupris Shilobod
Don’t Risk Fines, Loss of Contracts, and Legal Action
The discussion delves into consequences of non-compliance from stiff fines to loss of contracts and jail time. Leia stresses the importance of taking CMMC seriously. She says sticking your head in the sand is too risky.
Key Lessons on Compliance and Risk Reduction
Host Nathan Whittacre, CEO of tech leader Stimulus Technologies, helps to sum up key lessons so listeners can easily grasp the CMMC essentials. Nathan observes compliance is not just an IT issue but an administrative priority. Compliance reduces but doesn’t eliminate risk.
Gain Specific Knowledge to Get CMMC Ready
This episode of Stimulus Tech Talk arms you with specific knowledge to get CMMC ready. Protect your DOD contracts and enhance security with Leia’s guidance. Tune in to pick up best practices and practical insights you won’t find anywhere else.
Get the Inside Tech Perspective Weekly
Stimulus Tech Talk simplifies complex tech developments. Nathan demystifies topics from cybersecurity to digital transformation. His conversations with guests like Leia provide rare access to foremost experts.
Don’t wait to subscribe and stay current on technology trends. New episodes come out every week on your favorite podcast app. Stimulus Tech Talk gives business leaders like you an insider’s perspective on tech. Listen now to Leia explain CMMC in plain language so you can take strategic action.
Compliance Unveiled: Navigating the CMMC Landscape with Leia Kupris Shilobod - transcript:
Nathan Whittacre 00:15
Hello, I'm Nathan Whittacre, CEO of Stimulus Technologies. And this is Stimulus Tech Talk. And we're very excited to invite back on Leia Shilobod, one of our first guests on Stimulus Tech Talk. And welcome Leia..
Leia Shilobod 00:32
Hi, thank you for having me here today.
Nathan Whittacre 00:36
So Leia is the CEO and CSO of CompliancyIT which you just recently went through a rebranding of your website, and I better know, ur of your company. And I better know Leah as the it Princess of power, we've known each other for quite a few years. She's also the author of cyber warfare, protecting your business from total annihilation. And she's CO produced and starred in a documentary cybercrime, the dark web uncovered. Leia is a security advisor, especially around CMMC, and a lot of different compliance. And I'm excited to have her on to talk about some new rules about CMMC that have recently come out. And so welcome, Leia. And let's, let's talk a little bit about compliance. First, what, what is compliance? Could you? You know, in your words, you know, to somebody that doesn't know, technology or doesn't know, the IT space, a CEO of a manufacturer or somebody that works with the department of defense, why, what is what does compliance mean to a small to midsize business?
Leia Shilobod 01:40
That's a great question. So when we're talking about compliance, we're talking about creating a set of standards or controls, and aligning the organization to those standards. As specifically, when we're talking about a cybersecurity compliance, it'll be a number of stamp controls, that addressed cybersecurity or increasing security in the organization. Now, those a compliance requirement can be external pressure. So regulations like CMMC, like the DFARS 7012, clause, like HIPAA, and like the FTC safeguard requirements, so it can be external pressure on the organization to implement these requirements. And then there's also internal pressure at time. So what's important for the organization like assessing the business risk, and what kind of information that you need to protect what kind of processes and people are important to protect, and then creating your own standards or your own controls to address that business risk.
Nathan Whittacre 02:54
Well, it sounds to me like compliance is not an IT problem. It's more of an administrative and business problem. Would you add?
Leia Shilobod 03:04
Absolutely. I mean, it's, it's all about managing your business's risk. And clearly, if you have an external regulatory requirement from some agency, and you don't implement it, then that's a risk to your organization. You could lose contracts, you could be you could have fines. So, absolutely. And then when you're talking about internally, it is also a business decision identifying where is the risk in your organization, creating those standards, and then aligning them to decrease your risk.
Nathan Whittacre 03:37
Now, these outside regulatory companies or organizations, whether it's governmental or you know, an outside company that requires this compliance, when they're putting that pressure on an organization, does that mean that the organization is devoid of risk once they achieve that compliance? Or is there still some risk that occurs? If they're, if they're meeting all the compliance or regulatory compliance requirements?
Leia Shilobod 04:07
There will always be risk in business. I mean, well, first of all, I mean, you and I started our own companies, that was a big risk continuing to run the company is a big risk, right? We've got all these people we have to employ and make sure they get paid, you know. And what happens when you know we have there's a lawsuit or I mean, there's there's always risk when you're operating an organization. That, however, is that there are always ways to be able to decrease your risk. If you don't talk about your risk to start with, then a lot of those things can be sort of invisible to you sort of like well, we're not talking about it, maybe it doesn't really exist. And that's why it's important for every organization to assess what their risk is and operating their business. And then to determine how they're going to treat it. Are they going to address it by mitigating it and making some changes? Are they You're going to transfer your risk to an external company, are you going to avoid doing the thing that's causing you risk that happens a lot the safety, right we have risks and manufacturing plants associated with safety, there are things we can just not do. And we can say stay safe. And and then you could also choose to accept the risk, you understand this could happen, you understand the impact on the organization. And you're still going to say, I'm going to accept that this might happen and the repercussions now when you have external regulatory requirements, accepting the risk of not implementing those requirements is a really big risk to your organization, and I would not recommend it.
Nathan Whittacre 05:47
So you're saying that sticking your head in the sand like an ostrich isn't the best way to move forward with compliance or risk mitigation?
Leia Shilobod 05:56
Correct.
Nathan Whittacre 05:59
But we find a lot of businesses do that, right. It's, it's, you know, I, we're too small, we don't know, you know, what we're supposed to do? You know, I got this letter, and I'm just going to ignore it. You know, a lot of companies ignore that. So what have you seen over the years working with non compliance of what are the ultimate potentialities of avoidance of compliance.
Leia Shilobod 06:25
So I have talked to some companies that sort of joked about, you know, getting letters about requirements, and then just kind of like, Ah, ha, ha, ha, you know, threw it in the trash can, which for me, I was sort of, you know, quite taken aback by because that, that can massively impact your, your company and you, you do want your company to stay in business. It's your biggest asset as a business owner, to be able to your companies that you own. So, if you decide that you don't want to comply with regulatory regulations, then depending on who the regulations come down from, then there can be a lot of different consequences. There, like I mentioned before, fines can be levied. And where you can lose contracts. Now they say, Well, how are they going to even find out? Some regulations require that you report that you're doing those things, or at the minimum, require a self attestation, which is a legal document that you sign and say, I attest, we are doing this. And then at that time, you're making a false claim if you are actually not doing that thing. So with working with the federal government, we actually have a False Claims Act, that if an organization makes any kind of representation about what they're going to do with the federal government, and they don't do those things, that's considered a false claim, you lose your contract. And there's lots and lots of fines associated with that. So currently, there are hundreds of false claim cases in backlog with the Department of Justice. That's how many claims have been made about organizations that made a statement about what they were doing, and that they're actually not doing it. So, like the Department of Justice takes this very seriously.
Nathan Whittacre 08:33
And it could end up with jail time, even for the owners and operators of the company. It's essentially a significant risk. Yeah. Yeah. So let's, let's talk about CMMC. So let us tell us tell the audience what CMMC is because we often throw out acronyms and nobody understands what we're talking about when we say CMMC.
Leia Shilobod 08:57
So CMMC is my absolutely favorite thing to talk about in the whole world. That's why we're here today. So it stands for the Cybersecurity Maturity Model Certification. That's where all the letters come from. So it came to be because way back in the day, I think it was in around like 2013. There was a requirement for contractors who hold some of the government's information which is called CUI while this information is called CUI, it's specific information controlled unclassified information. And when you have that information, you're required to implement certain safeguards for it because it doesn't actually belong to you belongs to the federal government. And the CUI Program is for all agencies. It's not just DoD so CUI exists throughout the federal government back in 2013 DoD required a series of controls from NIST 800-53, which is a very thick printed document. It's like 400 pages. And those were required to be implemented. There was pushback on that. And so in 2016, NIST 800-171 was authored. And that is the it's controlling, it's securing controlled unclassified information in organization. So non governmental systems, non federal systems. This is a series of 110 controls, or we could call them standards that are required to be implemented. The requirements to implement them was by December 31, of 2017. And a lot of people got this information and didn't know exactly what to do. So they didn't do anything, or they tried and it was hard. And so they stopped. Or they didn't even know that this applied to them. There were a lot of contractors back then that I talked to that didn't even realize that this was the requirement because their contracting officers didn't tell them that this was a requirement, or maybe they didn't understand what the DFARS clause meant. And so the Department of Defense, did a bunch of research, talked to a lot of contractors and actually performed some assessments themselves. And there was 100% failure rate of full implementation of these controls and requirements.
Nathan Whittacre 11:42
Wow, that's crazy. 100%.
Leia Shilobod 11:45
Yeah. That illustrates is a really big problem, right?
Nathan Whittacre 11:53
Yeah.
Leia Shilobod 11:53
So they figured, well, there are some things that we're going to have to do in order to make this program effective. Because our secrets, our government secrets, especially how we defend our nation, are getting leaked out to nation states and to our enemies. So what are we going to do, they decided we need a little bit more clarification and accountability in this in this program so that people understand this is what you're supposed to do. This is what's satisfactory. And you know what self attestation is not really working out so well. So we're going to also bring in some accountability. And that's why certain organizations with special kinds of CUI now need to actually get an official assessment from a third party, a C3PAO, which is an organization that is has been prepped and assessed to be able to provide those assessments to the defense industrial base. So
Nathan Whittacre 12:52
Did you say C3PAO? Is that something from Star Wars?
Leia Shilobod 12:57
Yes, it's from Star Wars. It's a it's a sort of a it's a CMMC certified assessors organization.
Nathan Whittacre 13:07
So they have to get a third party assessment from these organizations to ensure compliance.
Leia Shilobod 13:14
At certain levels with certain information. So there are three levels of CMMC. And the first level you have federal contract information, you only have to apply 15 controls, and you need to self attest, so sign off, and that you have implemented them. At level two, there is a bifurcation. Look at me with all my fancy words, where they break CUI into two different groups, one that requires an implementation of all 110 controls, but only requires self attestation. And then one group that needs to implement all 110 controls, and get that official assessment and certification. And then there's level three, they have an additional 24 controls. And they have a very special and sensitive information, but it's not classified information.
Nathan Whittacre 14:17
So from what I understand, CMMC has been a framework and development and there's a new, I guess, final ruling that came out in December like end of the year filing is that correct?
Leia Shilobod 14:32
So it's it was filed as a proposed rule. But there can only be a rule comes forward. This is like the the federal rulemaking process is the way that the government makes law without going through our typical congressional lawmaking process that we're all familiar with. So these rules are law. They're federal regulations. They are law But there has to be a process if the government's going to make their own laws and our representation is not involved with that, there has to be a mechanism for us to be able to review what they intend to do, and comment on it to tell them where they are kind of off on what they're going to do. And they have to take our words in our comments into consideration. So CMMC has gone through this rulemaking process. And right now we're at the final phase of the rulemaking process. It went, it was presented as proposed, which means that we have 60 days to comment on it, I do not recommend commenting things like this is going to be too expensive, because they've heard that a ton of times and they have a pet response that they copy, paste, and it's not really going to get us anywhere. But during this comment period, we can make recommendations, and then also reminded them of things that they don't really see in practice, they are the federal government, they are not us. And God bless our government, but they live in a different world. So it's important for us to to help them understand about the regulations that they're going to impose on us. And the the intricacies and the impact of that. And just as long as you don't talk about the cost, because they already know it's gonna cost money.
Nathan Whittacre 16:19
So, so this is hundreds of pages of rulemaking that's been proposed. Are there organizations out there that are reviewing this because you know, a small business owner that doesn't have time to read and understand hundreds of pages of legalese. You know, what, what type of association organization can they get some information from? Or who do they know, who do they work with, on at least understanding this and make any feedback that was not just, oh, it's gonna cost me too much money?
Leia Shilobod 16:52
Well, the CyberAB, which is the accreditation body that is responsible for the private part of CMMC. They have monthly town halls, They just had a town hall this past week, where you can log in for free and be able to get information about all the goings on, and particularly about this rule. And you can also ask questions, that's probably the best place. Right now, though, we have a lot of different sort of working groups and organizations that are going through the role of a member of two of them. One of them is the MSPs for the Support of Critical Infrastructure. And the other one is the CMMC Industry Standards Council. And we are going through this and I'm also I also run a an MSP coaching group to peer coaching group of other MSPs that do this work, so that we can all make sure that we're doing the right thing for our clients. And I'm gonna tell you why that's so important in a minute.
Nathan Whittacre 17:55
I was going to ask you about that.
Leia Shilobod 17:58
Yeah, so we're actually going through all of this right now with the fine tooth comb, and not only, you know, ingesting that information, but then also determining what's going to be the most valuable for public comment for us to be able to submit so that we can have a well formed role right now. It is very well formed, it is very well written. And we have a lot of clarity where we didn't before, but especially in the area of external service providers, that would be or MSP. There are questions that we have. So one of the things that the rule does tell us, and it's very, very clear, is that if you are an external service provider for a company that's in the defense industrial base, in other words, if you're an MSP IT support company do any of those things, then, then that provider is required to be at the same level as their customer. So if you just have federal contract information and the level one, then you have to make sure that your MSP has gone through their own self assessment of level one, and does a self attestation that they have implemented all of those controls. If you require a cmmc level two assessment, that means that your MSP also has to go through that same process, implement all 110 controls, and also get a CMMC assessment and certification.
Nathan Whittacre 19:38
So that's potentially going to push a number of MSPs out of out of these providers or they're going to have to implement these better controls in place and hopefully, the MSP is doing some of the stuff already. It's just more going through and ensuring that that's in there in compliance with all of them as is that kind of the process for an MSP to go through?
Leia Shilobod 20:01
Nathan, I know hundreds of MSPs all around the world. And I can tell you that a lot of them don't do the things inside of these controls. I know that a lot of And and frankly, I think a lot of the US businesses, if they recognize the questions they should ask, they would probably be scandalized at the services that they are not receiving, and the state of some of the MSPs that are serving them. And that's by far, not everybody. But many of them do. Like, it's sort of like the cobblers children has no shoes, right. So like, Oh, you guys need to do this. It's a best practice. But in here, we've not taken the time to actually implement those things, whether it's because they don't think it's important for their organization, or whether they just don't take the time and energy and cost to do it. So this is going to cause ripples. Those of us that serve the defense industrial base, will be the first MSPs who are federally regulated.
Nathan Whittacre 21:08
So what kind of just give an example of some things that you see, you know, you've mentioned, you are in an MSP peer group that, you know that it's focused on this. So what kind of things are an average MSP missing, that needs to happen to be CMMC, certified, even level one?
Leia Shilobod 21:26
Um, well, level one, I think most of them are doing, hopefully, at least, but I would say things like, not having an MFA requirement to log on to their computers, not locking down, like external connections properly. With with MFA. It was also a requirement that the remote access that you have into environments into your client environments, uses a FIPS validated cryptography algorithm. And there are a lot of tools that we use that, that don't do that. There are also, because of that, that remote monitoring and management tool that we use, where we have agents on everybody's computers, and we can remote in there really fast. And it does a lot of stuff in the background cleans up the computer allows us to, you know, manage it remotely. It's a powerful tool. But it poses a really great risk to businesses.
Nathan Whittacre 22:33
So there was a big guy, a provider a couple of years ago, Kaseya, that got hacked, and there was a lot of the customers that got penetrated, their net worth got penetrated because of that tool. So it is a it is a concern for our industry, these tools can be utilized as weapons.
Leia Shilobod 22:51
Yes. And even internally, when you when we don't think about insider threat enough, we just want to trust our people, just like our clients, we tell them, you can't just trust your people, you have to put certain things in place, because you never know, when somebody will do something, either on purpose or by accident to hurt your organization. And a lot of MSPs, don't think about that with their tech support people with their engineers. But you know, we have the power to press a button and blow up dozens of networks. You know, I mean, like we really have that capability. Some of those tools are not really built with a lot of security already built into them. And that's concerning and problematic.
Nathan Whittacre 23:34
Certainly. Yeah, it's it's an interesting time for our industry of, you know, getting getting our chips in order to ensure that our clients are protected also. So talk about implementation period. So this new rule proposed rule has been published. There's a 60 day comment period. I've seen regulations take a lot longer to get implemented even after the comment period is closed. What is kind of the proposed timeline at this point? Do we know for this implementation?
Leia Shilobod 24:08
Yeah, so we expect the final rule to be final in about November of this year. And that would be on the timeline that we've been seeing with DoD in the past for this kind of rulemaking process. So we don't expect there to be major changes after this comment period. But we do expect to some additional clarification. And some people have said, you know, oh, well, it's not it's not final. So I'm not going to take all the action yet because I don't really know exactly what's going to happen. We know we've known now for six years, seven years that you need to implement the 800-171 controls. That's in contracts already. That's already a requirement. If you haven't been doing that, then in my opinion, you're nuts because it takes a long time to be able to align your entire organization to that and be able to have the documentation that's required to show that you're actually doing that stuff. So now is the time to, you know, if you haven't been working on your program, it's time to dust it off, and start trying to get a plan in place to be ready by the end of this year. And if you have already been working on your program, it's a really good time to review everything that you're doing, and do that yearly security assessment. So one of the controls is to do, it says periodic security assessment. And that means you have to do it at least one time a year. And what that control says to do is to assess like, basically the satisfactory implementation of all those controls, it's a really great time to do that, take a deep dive into every single one of them, look at your environment, look at your documentation, make sure it's all up to date. Now, after the rule goes final, sometime between like November or December of this year, then they expect the CMMC clause to start appearing in con in contracts, about 60 days later, there will be a phased period, because we already know that it can't just appear in all the contracts because nobody has certification. So it's you can't just like then no one can do the work. So there's going to be a phased rollout period where they select certain contracts first, where it's a requirement. Our C3PAOs and assessors get out there. And they see lots of different implementations, they get better at this. There will be more it gives time for more assessors to be trained. So we have a you know, a big enough workforce to be able to actually do all these assessments. And that, but eventually it will be rolled out to the all of the defense industrial base.
Nathan Whittacre 27:07
So it sounds to be like this year 2024 is the time to get prepared. And 25 is when we have to have those certifications. If you're a DOD contractor?
Leia Shilobod 27:21
I would be prepared for certification and 2025. Yes. And it's no small task, it's good that we have a year it's like really good that you have the time and there is no time to waste.
Nathan Whittacre 27:36
So if if somebody is a defense contractor or and this is DoD contractor and maybe even subcontractors, a contractor, so anybody related to that that has contracts with need to get certified, so how do they get in touch with you? How did they find out more information on moving forward with a with a certification or at least finding out what they need to do?
Leia Shilobod 28:00
Well, if you don't love talking about CMMC as much as I do, then you can definitely give me a ring because I can fill you in on anything CMMC. But you, you can catch me through my website compliancyit.io. My handle on LinkedIn is slash Princess Leia. How about that I got I got an early so I got a cool handle. And I can also my email address is Leia@compliancyit.io, as well. And we do help organizations we have we've authored a template package of how to implement and maintain a CMMC compliance program. And so we've got that to help organizations, we also help them with compliant help desk and compliant infrastructure solutions. And if you already have an MSP, but you just want a second pair of eyes on your implementation, then we will also do with a third party gap assessment to see if there's anything that's missing to assure that you're ready to actually get your official CMMC certification.
Nathan Whittacre 29:15
I think you have a podcast also or you do some some media to talk about this is
Leia Shilobod 29:20
Oh, yeah. Yeah. So I'm also on YouTube at DIB Tech Talks as well.
Nathan Whittacre 29:26
Excellent. Well, Leia I really appreciate the time. It's a it's a lot of information, I'm sure you know, a lot of our listeners are overwhelmed by the acronyms and the process to implement this. But knowing that there's experts out there that can help them like you, I think really, you know, should give some assurance that there's a path forward to make sure that you're complying and your organization can continue on receiving those federal contracts. I think that's the most important thing that owners are thinking about but also that they're maintaining that information. secure and safe so that, you know our federal government, especially our defense department is secure and we can protect our country. So thanks, Leia especially for your time and we'll put some links down below so that you can get in contact with you.
Leia Shilobod 30:18
Thank you, Nathan.
Nathan Whittacre 30:19
Have a great day everybody and thanks for listening to Stimulus Tech Talk.
