Submit any questions you would like answered on the podcast!
🆓 Need help getting your SPRS score to 110?
Schedule your free SPRS Roadmap Session and get a step-by-step plan to close gaps and stay defensible:
👉 https://cmmccomplianceguide.com/free-sprs-roadmap
The Department of Defense just issued a critical cybersecurity memo—and it's not just for the Lockheeds and Raytheons. In this episode, we break down what small and mid-sized DoD contractors must do now to respond to rising cyber threats—even amid headlines of ceasefire. From multi-factor authentication and patching systems to cloud security guidance and SPRS score readiness, we walk you through the exact steps your organization needs to take.
Resources Mentioned:
Memo: https://media.licdn.com/dms/document/media/v2/D561FAQFbAPookqu2zw/feedshare-document-pdf-analyzed/B56ZefAj13HoAY-/0/1750719415748?e=1751500800&v=beta&t=O6aY3UDi5ijLTGOa6RP4xAWABMPZh-ZKRkXRikiCywg
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cisa.gov/news-events/directives/bod-25-01-implementing-secure-practices-cloud-services
https://www.cisa.gov/cyber-hygiene-services
https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/
https://www.dc3.mil/Missions/DIB-Cybersecurity/DCISE-Resources/
#CMMC #DODCompliance #CyberSecurity #SPRS #DefenseContractor #CyberThreats #NIST800171 #CMMCComplianceGuide
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Hey there, welcome to CMMC Compliance Guide
(00:02):
Podcast.
I'm Stacey.
SPEAKER_01 (00:04):
And I'm Austin.
SPEAKER_00 (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track.
Today's episode is one of themost important ones we've done
(00:27):
thus far.
Because even though theheadlines say ceasefire between
Israel and Iran, the cyber war,that's still live.
Right after the ceasefire wasannounced, Katie Arrington
shared an urgent memo from theDOD CIO.
SPEAKER_01 (00:42):
It basically said this, that every defense
contractor, regardless of yoursize, so, and it specifically
said that in the memo, that thisis for small contractors,
mid-sized contractors as well,not just the Lockheeds and
Raytheons, Boeings of the world,that you need to raise your
cyber defenses and need to do itnow.
SPEAKER_00 (01:01):
So let's kind of dive into what's really going
on.
Why did the DOD feel the need tomake this public statement right
now?
SPEAKER_01 (01:08):
It's a good question.
I mean, you know, we just saw aceasefire announced and it seems
to be being held to currently,at least when we're recording
this.
Who knows when this getsreleased what happens.
But, you know, it's becausegeopolitics don't stop at a
ceasefire.
A cyber war is often conductedwithout the scrutiny of the
(01:29):
press.
So that's the one benefit thesenation states have and they see
in cyberspace is that you don'thave a bunch of reporters or
running around you know,reporting on things or people
with their smartphone recordingit, you know, get reports on X
or Twitter, you know, thosedon't happen.
(01:50):
So they can be conducted withoutscrutiny and people directly
being aware of it or beingreported on.
And the US, especially in thismemo, has taken a clear stance
that its adversaries and theircyber proxies.
So a lot of times, The cyberwars are conducted through other
(02:14):
groups or entities, not from thenations directly, much like
normal or happens that they'realready targeting the defense
industrial base.
You know, this doesn't havethis.
This happens on.
you know, a normal basis, butespecially in times of conflict,
(02:35):
especially as large as this one,it really ramps up even after
the ceasefires.
So, yeah.
You know, it's not just theprimes, not just the big guys.
Like I said earlier, this memois focusing on that the
Department of Defense wants tobe on high alert.
They specifically mentioned andcalled out, you can go read it.
(02:56):
We'll include the link to it inthe video description and in the
podcast description so you readit for yourself.
But they specifically call outthe smaller entities as well,
not just the primes.
So if your shop, yourmanufacturer makes parts for
weapon systems, aircraft, youknow, a wire harness or assembly
(03:20):
harness or something, and endsup, you know, with Lockheed,
Raytheon, Boeing.
Chances are you're a target.
And that's why the DOD CIO laidout in black and white in that
memo.
But the NIST SP specialpublication 800-171 is the
minimum requirement.
If you handle CUI, you need tobe compliant now.
(03:41):
Not next year.
Not when CMMC becomes a contractclause.
Don't get mad at me.
This is the Department ofDefense saying it.
SPEAKER_00 (03:48):
Getting into the meat and potatoes of all this,
what are the actual steps theDOD is telling us to take?
SPEAKER_01 (03:54):
Yeah, so the memo...
Actually, breaks it out prettysimply into about four buckets.
The first is reducing the riskof getting hacked.
That's the first kind ofdirective to the defense
industrial base.
And they specifically call out,make sure you've turned on
multi-factor authentication.
(04:15):
And news alert, if you didn'tknow, that was part of the
controls already.
So you're already supposed tohave turned that on.
Multi-factor authentication,especially as far as the defense
department is concerned, Theywant to make sure that you've
turned it on for remote access,access across the network, and
(04:37):
then for admin and privilegedlogins as well.
So they also called out makingsure that you patch your
systems.
So that means anything from yourcomputers to your firewalls,
your switches, stuff like that.
And it specifically called outthat you need to focus on the
(04:58):
known exploited vulnerabilitieslist from CISA.
Again, that's another URL thatwe'll include on the description
here.
So you can go actually do that.
So another part of that firstbucket of reducing the risk of
getting hacked is shutting downunused ports and services.
(05:18):
We're not a big fan of openingports or services at all.
It's hard to make them secure.
So we recommend and not doingthat as much as possible.
And if you have to do it, youhave to do it in a very secure
way.
So if you've got, you know, Ithink a lot of people out there
are probably guilty of havinglike a remote access port or
(05:39):
something open, you need to shutthat bad boy.
especially in times of highalert, but you really should
design a secure solution aroundit long term.
But they call that specificallyshutting down those unused ports
and services.
The other is following CISA'scloud security guidance.
It's gonna be in the descriptionas well.
Basically, if you're usingMicrosoft 365, Azure Web
(06:02):
Services, really any cloudservice provider like that, You
need to follow that guidance tobasically harden it, lock it
down.
I'll actually read out theactual verbiage, which is a
production or operational tenantas a cloud service provider
environment used by thegovernment to conduct official
(06:23):
government business, whetheroperated by the government or a
contractor.
So that last piece or acontractor means that you are
conducting official governmentbusiness in their eyes.
So if you're using Microsoft365, Azure Web Services, any
cloud service provider, andyou're basically, you know, the
(06:45):
way to think about it would beif you're using it for COI or
any contract information, thatcloud service that you have then
needs to be hardened accordingto that CISA cloud security
guidance.
So you need to go do that too.
They also mentioned in the memoto check out the free resources
(07:06):
from the CISA Cyber Hygiene.
Again, another link we'll havebelow.
NSA's Cyber CollaborationCenter, another link we'll have
below.
And then DC3's DC ISE portal aswell.
Another link we'll have below.
(07:26):
But basically, those are threefree resources that the
Department of Defense providesto their government agencies and
their contractors of the defenseindustrial base to help secure
their networks and whatnot.
So you can also go find someonecommercially to do those things
(07:49):
for you.
you know, uh, if you're not afan of using their resources,
but they do provide some freeresources, um, unless some don't
cost a dime, just, you know,some, some initiative and some
labor hours there.
Uh, that's all the first bucket.
So, uh, the second bucket wouldbe work on detecting threats
early.
(08:10):
Um, that would first andforemost mean turn on, uh,
monitoring of system logs.
Now, um, A lot of peopleprobably won't like that I'm
going to say this, but basicallythe way we see it here at CMMC
Compliance Guide is that thecompliance standards basically
mandate you have a security SIM,in our opinion, without actually
(08:35):
mandating it.
It says all the things that aSIM basically does.
And it's easier just, in ouropinion, to buy that off the
shelf and then assuming thatit's compliant and fits all the
compliance boxes.
But go purchase a SIM andimplement it.
So that way, you can properly gothrough all those logs, protect
(09:00):
them, and review them as neededbecause otherwise, You have to
go into all the differentlocations and review them in
their...
their source, which is not easyto do if you're familiar with IT
(09:21):
logs and security logs.
The Assem collects it all foryou.
And then it also satisfies someof the other controls like
protecting it.
The logs, you're supposed tokeep them from being deleted and
whatnot.
So we recommend Assem.
The memo doesn't say that.
We recommend it, but the memosays that you need to turn on
(09:42):
and monitor your system logs.
So if anything were to happen,You can go look at those and
figure out what happened, orthey might be able to give you
advance notice of somethinghappening on your network and
you'd be able to shut it downbefore it gets too far gone.
The second part of detectingthreats early would be to use
(10:05):
antivirus and important.
update the antivirus with thesignatures of the new viruses
coming out.
So they specifically say, makesure that you're doing that.
So I hope that everyone's doingthat.
That's been a, most people knowyou need an antivirus for a long
time.
So I really hope that everyoneout there listening is doing it,
(10:26):
has one, but you know, another,it sounds like simple
fundamental stuff, but you know,you have antivirus and you think
that the the patches and updatesare being applied just
automatically and you haven'tchecked it you're probably wrong
um and i i don't say that to beuh controversial other than the
(10:48):
fact that whenever we go intonew networks that like we manage
and stuff typically uh thebackups they think they're being
completed aren't being completedthe antivirus updates that they
think are being done aren'tbeing done or half the
workstations are out of date.
And it goes on.
So it's not good enough justhaving it installed.
(11:11):
You need to make sure that theupdates are actually applying
and working and nothing's brokenthere.
So another piece of detectingthe threats early, the memo
says, is to review accesscontrols for any third party
vendors or partners, basically.
And so The idea there being thatyou don't want to be exploited
(11:35):
through their access means,right?
So check those.
And if your vendor is doinganything on your behalf or on
your network or whatever it maybe, don't just assume that
they're doing things securely.
For example, I know thatwhenever I walk into a doctor's
(11:57):
office that I can, I can spot 10HIPAA violations whenever I go
in there for my appointment.
You know, it's just becausethey're a doctor's office, they
don't assume that they'refollowing the HIPAA guidelines,
right?
Same for your vendors, you know,just cause you've hired them and
they do a good job.
You know, you may love yourdoctor, but it doesn't mean that
they're actually you know,securing your data, um, or your
(12:20):
network the way that they shouldbe.
So you need to ask those hardquestions.
It doesn't mean, you know, maybethat you need to fire them, but,
um, ask the questions that waythey can do it and protect
yourself.
Right.
The third bucket, um, is beready for an incident.
So, um, you know, that maysound, um, rather easy or like,
(12:44):
oh yeah, sure, we're ready.
If something hits a fan, thenI'll call my IT guy or
something.
But it's actually a lot harderthan that.
And if you've ever been on thereceiving side of a breach or
remediating a breach, yourealize how important an
incident response plan is.
(13:07):
whenever you need it.
So for example, if someone getsransomwared, um, you know,
whether the it guy, uh, or yourcompany is there and answering
the phone or not, um, you know,it is one thing.
Um, but what the actualpre-planned directives are, you
know, sitting in what roles, youknow, so do you need to contact
(13:27):
your lawyer?
What communication needs to goout to customers or your
employees?
What's the decision process forleadership?
Do you need to, um, work withyour cyber insurance provider.
You know, on that specifically,a lot of times they require a
(13:47):
lot of things from you.
And if you if you veer off ofwhat their required track is,
you don't get coverage.
So you really need, that's justan example, but you really need
to think through all thesethings before it happens,
because chances are you're gonnamiss it in the storm of
everything.
And it's specifically mentionedin the memo that you need to
have an incident response planpre-planned, and then it'd be a
(14:13):
good idea if you tested it aswell, make sure that things go
right.
And again, News alert to anyonethat doesn't know, but all the
controls require for you to havea plan in place for that
already.
So bucket number four would berecovering from an attack, which
(14:35):
would be making sure you're ableto recover from an attack,
rather.
First, it mentions to test yourbackups.
Again, I mentioned earlier, justbecause you have the backups
turned on doesn't mean they'reworking.
Most of the times when we comein to a new environment and that
hadn't been checked on a regularbasis, they're not working or
(14:56):
some portion of them aren't orthey're corrupted.
So you really need to test thembecause things happen,
especially with technology.
And then second to that is makesure that they're isolated.
So the reason for that is isthat if your company gets hacked
(15:18):
and the backups are on the samenetwork that's hacked, then
hackers know and even just themalware and viruses that are
coded know to go look forbackups.
So it doesn't even require aperson doing it.
A lot of times they go look forbackups and they'll go delete
them or they'll extract them andpull them elsewhere.
But they know to look for thatbecause you know, the ability to
(15:44):
recover from a backup reallyundermines the person that's
attacking you, right?
So that is specifically lookedfor during a breach.
The other part of recoveringfrom an attack is that if you're
on operational technology, Mostof you guys are, unless you're
just a full on digital firm,everything's digital.
(16:08):
Manufacturers are all runningoperational tech.
So think your CNC machines, allyour PLC cards, all of that
stuff is operational technology.
And so the memo, calls out inthere to conduct a test of
manual controls to ensure thatthe critical functions remain
operational.
(16:29):
If your organization's networkis unavailable, hacked,
ransomwared, down or otherwise,you know, untrusted.
So if you have to disconnect theoperational tech from the
network, you need a plan to beable to still run your shop
floor, right?
So even if your network goesdown, you still need to ship
parts.
That's part of the resiliencethat the Defense Department is
(16:53):
trying to build in their supplychain.
SPEAKER_00 (16:55):
So let's tie all of that together.
Austin, can you explain why thisis just more than a heads up?
SPEAKER_01 (17:01):
You know, it's because the Department of
Defense is not just sending outmemos just to look busy and
stuff like that.
So they're signaling...
you know, what's coming next.
So there, there is actually aconcern at the defense
department at the department ofdefense, um, that there's a
(17:25):
heightened concern, um, forcyber threats.
So that's the reason they'redoing it.
They wouldn't be doing itotherwise.
I mean, they, they've alreadybeen saying, um, very often how
important CMMC is and how muchyou need to comply.
I mean, it's been going on foryears.
(17:46):
The fact that this memo iscoming out on top of the
ceasefire and kind of everythingthat's going on in terms of the
geopolitical stuff in the worldright now, it's very intentional
because it's something they'reactively concerned about.
This basically means that evenwith the ceasefire, you should
assume that since they put thismemo out, that the cyber attacks
(18:08):
are increasing.
The war in cyberspace is alwayson, and the digital attacks that
happen in cyberspace support thekinetic ones like the bombs
dropping in the real world.
And when the ceasefire ishappening, the cyberspace war is
supplemental to it.
SPEAKER_00 (18:25):
So to tie everything together, Austin, what should a
listener do this week inaccordance to all of these news,
the memos, and what's happeningin the news right now?
SPEAKER_01 (18:34):
If we're thinking about the average small to
mid-sized contractor, aerospace,defense manufacturer out there,
really it all comes back to isthe controls that your contracts
say you have to comply with,right?
So the cybersecurity controlsspecifically is what we're
talking about.
(18:54):
So, and...
All the memo is saying, althoughvery importantly and very
urgently, is that you reallyneed to make sure that you're
doing those things.
So we like to use your SPRSscore, SPURS score, as basically
(19:15):
a starting point to determinewhere you are on the path for
controls, right?
So, because that's what it'sthere for, right?
So if you're a contractor outthere, you don't really know
where to start, go look at whatyour Spurs score says, what you
said your Spurs score is, andthen ask yourself whether or not
(19:38):
that's actually true, right?
So start there.
And if it's not 110, you know,which is a perfect score or
close to it, like actually 110and not, one that you're just
kind of hope and prayer puttingin there, then you need to get
that score up, right?
(20:00):
So, and do all those things thecontrols are saying.
Second would be to go reviewyour multi-factor
authentication.
Again, that's remote access,that's access across the
network, and then your MFA forprivileged accounts or
administrative accounts.
(20:20):
Then go check your backups.
Make sure that they're actuallycompleting.
Maybe that you actually havebackups first and then that
they're actually completingcorrectly and then test them.
Make sure that you can restorefrom a backup, open a file or
something like that.
Make sure it actually works.
Then check your patches.
Basically, are your firewalls upto date with the latest
(20:43):
firmware?
Are your computers up to datewith the latest Windows or Adobe
updates?
Are your switches up to date?
Anything that runs software onyour network needs to be up to
date with the latest, at leastsecurity patches.
And if you're not up to snuff onyour SPRS core yet, They're
quick wins that help protectyourself.
(21:05):
So, you know, you can really,you can cover your butt a little
bit from getting hacked andbeing forced to let the
Department of Defense know thatyou're not doing what you're
supposed to be doing.
Now, we don't condone that, butwe know people out there are in
that boat.
So if you're looking to reallymitigate risk here, that's the
first place to start.
(21:25):
And then it would be going andimplementing all the controls
and doing what you're supposedto be doing.
Another thing to do would be touse the CISA's cyber hygiene
tools.
They're free out there.
The Department of Defenseprovides them for you for the
purpose of securing the supplychain.
Or you could use commercialplatforms that are important or
(21:46):
compliant.
that can do the same thing.
Another thing to do would be toschedule a response drill.
So make sure that your incidentresponse plan actually works and
makes sense through a mockdisaster or hack or breach, that
(22:07):
your backups actually work.
And if this is all over yourhead and seems very
overwhelming, call somebody, gethelp.
SPEAKER_00 (22:15):
At note, if you're having trouble figuring all of
this out, we're actuallyoffering a free SPRS roadmap
session.
So you can check that out in thedescription below.
It can give you clarity on whereyou stand and what to fix first.
So in that session, we'll walkyou through your current SPRS
standing, a plain Englishsummary of your gaps, and also a
(22:36):
clear roadmap to hit 110 so youcan stay defensible.
Most importantly, in thedescription below as well, we
will link to the memo.
So if you really want to go backand read that for yourself, you
can do so.
And we'll also put in thedescription those resources that
Austin mentioned previously aswell.
So you'll have access to all ofthose great stuff.
(22:57):
If you have any questions aboutwhat we covered, reach out to
us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions and we'll answer them
for free here on the podcast.
You can find our contact info atcmmccomplianceguide.com.
Stay tuned for our next episode.
(23:17):
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Hey there, welcome to CMMC Compliance Guide
(00:02):
Podcast.
I'm Stacey.
SPEAKER_01 (00:04):
And I'm Austin.
SPEAKER_00 (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track.
Today's episode is one of themost important ones we've done
(00:27):
thus far.
Because even though theheadlines say ceasefire between
Israel and Iran, the cyber war,that's still live.
Right after the ceasefire wasannounced, Katie Arrington
shared an urgent memo from theDOD CIO.
SPEAKER_01 (00:42):
It basically said this, that every defense
contractor, regardless of yoursize, so, and it specifically
said that in the memo, that thisis for small contractors,
mid-sized contractors as well,not just the Lockheeds and
Raytheons, Boeings of the world,that you need to raise your
cyber defenses and need to do itnow.
SPEAKER_00 (01:01):
So let's kind of dive into what's really going
on.
Why did the DOD feel the need tomake this public statement right
now?
SPEAKER_01 (01:08):
It's a good question.
I mean, you know, we just saw aceasefire announced and it seems
to be being held to currently,at least when we're recording
this.
Who knows when this getsreleased what happens.
But, you know, it's becausegeopolitics don't stop at a
ceasefire.
A cyber war is often conductedwithout the scrutiny of the
(01:29):
press.
So that's the one benefit thesenation states have and they see
in cyberspace is that you don'thave a bunch of reporters or
running around you know,reporting on things or people
with their smartphone recordingit, you know, get reports on X
or Twitter, you know, thosedon't happen.
(01:50):
So they can be conducted withoutscrutiny and people directly
being aware of it or beingreported on.
And the US, especially in thismemo, has taken a clear stance
that its adversaries and theircyber proxies.
So a lot of times, The cyberwars are conducted through other
(02:14):
groups or entities, not from thenations directly, much like
normal or happens that they'realready targeting the defense
industrial base.
You know, this doesn't havethis.
This happens on.
you know, a normal basis, butespecially in times of conflict,
(02:35):
especially as large as this one,it really ramps up even after
the ceasefires.
So, yeah.
You know, it's not just theprimes, not just the big guys.
Like I said earlier, this memois focusing on that the
Department of Defense wants tobe on high alert.
They specifically mentioned andcalled out, you can go read it.
(02:56):
We'll include the link to it inthe video description and in the
podcast description so you readit for yourself.
But they specifically call outthe smaller entities as well,
not just the primes.
So if your shop, yourmanufacturer makes parts for
weapon systems, aircraft, youknow, a wire harness or assembly
(03:20):
harness or something, and endsup, you know, with Lockheed,
Raytheon, Boeing.
Chances are you're a target.
And that's why the DOD CIO laidout in black and white in that
memo.
But the NIST SP specialpublication 800-171 is the
minimum requirement.
If you handle CUI, you need tobe compliant now.
(03:41):
Not next year.
Not when CMMC becomes a contractclause.
Don't get mad at me.
This is the Department ofDefense saying it.
SPEAKER_00 (03:48):
Getting into the meat and potatoes of all this,
what are the actual steps theDOD is telling us to take?
SPEAKER_01 (03:54):
Yeah, so the memo...
Actually, breaks it out prettysimply into about four buckets.
The first is reducing the riskof getting hacked.
That's the first kind ofdirective to the defense
industrial base.
And they specifically call out,make sure you've turned on
multi-factor authentication.
(04:15):
And news alert, if you didn'tknow, that was part of the
controls already.
So you're already supposed tohave turned that on.
Multi-factor authentication,especially as far as the defense
department is concerned, Theywant to make sure that you've
turned it on for remote access,access across the network, and
(04:37):
then for admin and privilegedlogins as well.
So they also called out makingsure that you patch your
systems.
So that means anything from yourcomputers to your firewalls,
your switches, stuff like that.
And it specifically called outthat you need to focus on the
(04:58):
known exploited vulnerabilitieslist from CISA.
Again, that's another URL thatwe'll include on the description
here.
So you can go actually do that.
So another part of that firstbucket of reducing the risk of
getting hacked is shutting downunused ports and services.
(05:18):
We're not a big fan of openingports or services at all.
It's hard to make them secure.
So we recommend and not doingthat as much as possible.
And if you have to do it, youhave to do it in a very secure
way.
So if you've got, you know, Ithink a lot of people out there
are probably guilty of havinglike a remote access port or
(05:39):
something open, you need to shutthat bad boy.
especially in times of highalert, but you really should
design a secure solution aroundit long term.
But they call that specificallyshutting down those unused ports
and services.
The other is following CISA'scloud security guidance.
It's gonna be in the descriptionas well.
Basically, if you're usingMicrosoft 365, Azure Web
(06:02):
Services, really any cloudservice provider like that, You
need to follow that guidance tobasically harden it, lock it
down.
I'll actually read out theactual verbiage, which is a
production or operational tenantas a cloud service provider
environment used by thegovernment to conduct official
(06:23):
government business, whetheroperated by the government or a
contractor.
So that last piece or acontractor means that you are
conducting official governmentbusiness in their eyes.
So if you're using Microsoft365, Azure Web Services, any
cloud service provider, andyou're basically, you know, the
(06:45):
way to think about it would beif you're using it for COI or
any contract information, thatcloud service that you have then
needs to be hardened accordingto that CISA cloud security
guidance.
So you need to go do that too.
They also mentioned in the memoto check out the free resources
(07:06):
from the CISA Cyber Hygiene.
Again, another link we'll havebelow.
NSA's Cyber CollaborationCenter, another link we'll have
below.
And then DC3's DC ISE portal aswell.
Another link we'll have below.
(07:26):
But basically, those are threefree resources that the
Department of Defense providesto their government agencies and
their contractors of the defenseindustrial base to help secure
their networks and whatnot.
So you can also go find someonecommercially to do those things
(07:49):
for you.
you know, uh, if you're not afan of using their resources,
but they do provide some freeresources, um, unless some don't
cost a dime, just, you know,some, some initiative and some
labor hours there.
Uh, that's all the first bucket.
So, uh, the second bucket wouldbe work on detecting threats
early.
(08:10):
Um, that would first andforemost mean turn on, uh,
monitoring of system logs.
Now, um, A lot of peopleprobably won't like that I'm
going to say this, but basicallythe way we see it here at CMMC
Compliance Guide is that thecompliance standards basically
mandate you have a security SIM,in our opinion, without actually
(08:35):
mandating it.
It says all the things that aSIM basically does.
And it's easier just, in ouropinion, to buy that off the
shelf and then assuming thatit's compliant and fits all the
compliance boxes.
But go purchase a SIM andimplement it.
So that way, you can properly gothrough all those logs, protect
(09:00):
them, and review them as neededbecause otherwise, You have to
go into all the differentlocations and review them in
their...
their source, which is not easyto do if you're familiar with IT
(09:21):
logs and security logs.
The Assem collects it all foryou.
And then it also satisfies someof the other controls like
protecting it.
The logs, you're supposed tokeep them from being deleted and
whatnot.
So we recommend Assem.
The memo doesn't say that.
We recommend it, but the memosays that you need to turn on
(09:42):
and monitor your system logs.
So if anything were to happen,You can go look at those and
figure out what happened, orthey might be able to give you
advance notice of somethinghappening on your network and
you'd be able to shut it downbefore it gets too far gone.
The second part of detectingthreats early would be to use
(10:05):
antivirus and important.
update the antivirus with thesignatures of the new viruses
coming out.
So they specifically say, makesure that you're doing that.
So I hope that everyone's doingthat.
That's been a, most people knowyou need an antivirus for a long
time.
So I really hope that everyoneout there listening is doing it,
(10:26):
has one, but you know, another,it sounds like simple
fundamental stuff, but you know,you have antivirus and you think
that the the patches and updatesare being applied just
automatically and you haven'tchecked it you're probably wrong
um and i i don't say that to beuh controversial other than the
(10:48):
fact that whenever we go intonew networks that like we manage
and stuff typically uh thebackups they think they're being
completed aren't being completedthe antivirus updates that they
think are being done aren'tbeing done or half the
workstations are out of date.
And it goes on.
So it's not good enough justhaving it installed.
(11:11):
You need to make sure that theupdates are actually applying
and working and nothing's brokenthere.
So another piece of detectingthe threats early, the memo
says, is to review accesscontrols for any third party
vendors or partners, basically.
And so The idea there being thatyou don't want to be exploited
(11:35):
through their access means,right?
So check those.
And if your vendor is doinganything on your behalf or on
your network or whatever it maybe, don't just assume that
they're doing things securely.
For example, I know thatwhenever I walk into a doctor's
(11:57):
office that I can, I can spot 10HIPAA violations whenever I go
in there for my appointment.
You know, it's just becausethey're a doctor's office, they
don't assume that they'refollowing the HIPAA guidelines,
right?
Same for your vendors, you know,just cause you've hired them and
they do a good job.
You know, you may love yourdoctor, but it doesn't mean that
they're actually you know,securing your data, um, or your
(12:20):
network the way that they shouldbe.
So you need to ask those hardquestions.
It doesn't mean, you know, maybethat you need to fire them, but,
um, ask the questions that waythey can do it and protect
yourself.
Right.
The third bucket, um, is beready for an incident.
So, um, you know, that maysound, um, rather easy or like,
(12:44):
oh yeah, sure, we're ready.
If something hits a fan, thenI'll call my IT guy or
something.
But it's actually a lot harderthan that.
And if you've ever been on thereceiving side of a breach or
remediating a breach, yourealize how important an
incident response plan is.
(13:07):
whenever you need it.
So for example, if someone getsransomwared, um, you know,
whether the it guy, uh, or yourcompany is there and answering
the phone or not, um, you know,it is one thing.
Um, but what the actualpre-planned directives are, you
know, sitting in what roles, youknow, so do you need to contact
(13:27):
your lawyer?
What communication needs to goout to customers or your
employees?
What's the decision process forleadership?
Do you need to, um, work withyour cyber insurance provider.
You know, on that specifically,a lot of times they require a
(13:47):
lot of things from you.
And if you if you veer off ofwhat their required track is,
you don't get coverage.
So you really need, that's justan example, but you really need
to think through all thesethings before it happens,
because chances are you're gonnamiss it in the storm of
everything.
And it's specifically mentionedin the memo that you need to
have an incident response planpre-planned, and then it'd be a
(14:13):
good idea if you tested it aswell, make sure that things go
right.
And again, News alert to anyonethat doesn't know, but all the
controls require for you to havea plan in place for that
already.
So bucket number four would berecovering from an attack, which
(14:35):
would be making sure you're ableto recover from an attack,
rather.
First, it mentions to test yourbackups.
Again, I mentioned earlier, justbecause you have the backups
turned on doesn't mean they'reworking.
Most of the times when we comein to a new environment and that
hadn't been checked on a regularbasis, they're not working or
(14:56):
some portion of them aren't orthey're corrupted.
So you really need to test thembecause things happen,
especially with technology.
And then second to that is makesure that they're isolated.
So the reason for that is isthat if your company gets hacked
(15:18):
and the backups are on the samenetwork that's hacked, then
hackers know and even just themalware and viruses that are
coded know to go look forbackups.
So it doesn't even require aperson doing it.
A lot of times they go look forbackups and they'll go delete
them or they'll extract them andpull them elsewhere.
But they know to look for thatbecause you know, the ability to
(15:44):
recover from a backup reallyundermines the person that's
attacking you, right?
So that is specifically lookedfor during a breach.
The other part of recoveringfrom an attack is that if you're
on operational technology, Mostof you guys are, unless you're
just a full on digital firm,everything's digital.
(16:08):
Manufacturers are all runningoperational tech.
So think your CNC machines, allyour PLC cards, all of that
stuff is operational technology.
And so the memo, calls out inthere to conduct a test of
manual controls to ensure thatthe critical functions remain
operational.
(16:29):
If your organization's networkis unavailable, hacked,
ransomwared, down or otherwise,you know, untrusted.
So if you have to disconnect theoperational tech from the
network, you need a plan to beable to still run your shop
floor, right?
So even if your network goesdown, you still need to ship
parts.
That's part of the resiliencethat the Defense Department is
(16:53):
trying to build in their supplychain.
SPEAKER_00 (16:55):
So let's tie all of that together.
Austin, can you explain why thisis just more than a heads up?
SPEAKER_01 (17:01):
You know, it's because the Department of
Defense is not just sending outmemos just to look busy and
stuff like that.
So they're signaling...
you know, what's coming next.
So there, there is actually aconcern at the defense
department at the department ofdefense, um, that there's a
(17:25):
heightened concern, um, forcyber threats.
So that's the reason they'redoing it.
They wouldn't be doing itotherwise.
I mean, they, they've alreadybeen saying, um, very often how
important CMMC is and how muchyou need to comply.
I mean, it's been going on foryears.
(17:46):
The fact that this memo iscoming out on top of the
ceasefire and kind of everythingthat's going on in terms of the
geopolitical stuff in the worldright now, it's very intentional
because it's something they'reactively concerned about.
This basically means that evenwith the ceasefire, you should
assume that since they put thismemo out, that the cyber attacks
(18:08):
are increasing.
The war in cyberspace is alwayson, and the digital attacks that
happen in cyberspace support thekinetic ones like the bombs
dropping in the real world.
And when the ceasefire ishappening, the cyberspace war is
supplemental to it.
SPEAKER_00 (18:25):
So to tie everything together, Austin, what should a
listener do this week inaccordance to all of these news,
the memos, and what's happeningin the news right now?
SPEAKER_01 (18:34):
If we're thinking about the average small to
mid-sized contractor, aerospace,defense manufacturer out there,
really it all comes back to isthe controls that your contracts
say you have to comply with,right?
So the cybersecurity controlsspecifically is what we're
talking about.
(18:54):
So, and...
All the memo is saying, althoughvery importantly and very
urgently, is that you reallyneed to make sure that you're
doing those things.
So we like to use your SPRSscore, SPURS score, as basically
(19:15):
a starting point to determinewhere you are on the path for
controls, right?
So, because that's what it'sthere for, right?
So if you're a contractor outthere, you don't really know
where to start, go look at whatyour Spurs score says, what you
said your Spurs score is, andthen ask yourself whether or not
(19:38):
that's actually true, right?
So start there.
And if it's not 110, you know,which is a perfect score or
close to it, like actually 110and not, one that you're just
kind of hope and prayer puttingin there, then you need to get
that score up, right?
(20:00):
So, and do all those things thecontrols are saying.
Second would be to go reviewyour multi-factor
authentication.
Again, that's remote access,that's access across the
network, and then your MFA forprivileged accounts or
administrative accounts.
(20:20):
Then go check your backups.
Make sure that they're actuallycompleting.
Maybe that you actually havebackups first and then that
they're actually completingcorrectly and then test them.
Make sure that you can restorefrom a backup, open a file or
something like that.
Make sure it actually works.
Then check your patches.
Basically, are your firewalls upto date with the latest
(20:43):
firmware?
Are your computers up to datewith the latest Windows or Adobe
updates?
Are your switches up to date?
Anything that runs software onyour network needs to be up to
date with the latest, at leastsecurity patches.
And if you're not up to snuff onyour SPRS core yet, They're
quick wins that help protectyourself.
(21:05):
So, you know, you can really,you can cover your butt a little
bit from getting hacked andbeing forced to let the
Department of Defense know thatyou're not doing what you're
supposed to be doing.
Now, we don't condone that, butwe know people out there are in
that boat.
So if you're looking to reallymitigate risk here, that's the
first place to start.
(21:25):
And then it would be going andimplementing all the controls
and doing what you're supposedto be doing.
Another thing to do would be touse the CISA's cyber hygiene
tools.
They're free out there.
The Department of Defenseprovides them for you for the
purpose of securing the supplychain.
Or you could use commercialplatforms that are important or
(21:46):
compliant.
that can do the same thing.
Another thing to do would be toschedule a response drill.
So make sure that your incidentresponse plan actually works and
makes sense through a mockdisaster or hack or breach, that
(22:07):
your backups actually work.
And if this is all over yourhead and seems very
overwhelming, call somebody, gethelp.
SPEAKER_00 (22:15):
At note, if you're having trouble figuring all of
this out, we're actuallyoffering a free SPRS roadmap
session.
So you can check that out in thedescription below.
It can give you clarity on whereyou stand and what to fix first.
So in that session, we'll walkyou through your current SPRS
standing, a plain Englishsummary of your gaps, and also a
(22:36):
clear roadmap to hit 110 so youcan stay defensible.
Most importantly, in thedescription below as well, we
will link to the memo.
So if you really want to go backand read that for yourself, you
can do so.
And we'll also put in thedescription those resources that
Austin mentioned previously aswell.
So you'll have access to all ofthose great stuff.
(22:57):
If you have any questions aboutwhat we covered, reach out to
us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions and we'll answer them
for free here on the podcast.
You can find our contact info atcmmccomplianceguide.com.
Stay tuned for our next episode.
(23:17):
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com