April 16, 2025 • 39 mins
Jump in today as we go deeper down the military intelligence rabbit hole! Today we are joined by Chris Rose of Ariento. Ariento is a key security and compliance company within the Telarus Supplier Portfolio that focuses at a very deep level around government entities, CMMC, and besides just doing security and consulting, they also can attest for companies trying to get their CMMC Certification. Chris comes from a military background, and we unearth some of that on today's episode titled: The Art of Discovery Calls Stories from Military Negotiation. Chris gives us plenty of examples where he's seen customers struggle, but also turns those into examples and great probing questions to help keep the conversation moving along. Don't miss it as you'll hear some very unique experiences only Chris has with his very differentiated background!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the podcast designed to fuel your success selling
technology solutions. I'm your host, Josh La Presto,
SVP of Sales Engineering at Solaris, and this is Next Level
Biztech. Everybody, welcome back.
We're on a fun, exciting track today, talking about security,
talking about military history, intelligence negotiation, all
(00:24):
kinds of fun stuff Today. It is the art of discovery
calls, stories from military intelligence negotiation on with
us today. We have got Chris Rose Ariento.
Chris, welcome on man. Chef happy to be here.
Yeah, newer supplier to the Telaris portfolio, but you've
got a lot of differentiating things to offer that we have
(00:47):
never had before. So we're excited about that.
We're going to uncover that a little bit today and we're going
to maybe we'll just we'll start this off a little bit about your
past. So you've got some cool military
training. So maybe just walk us through a
little bit about your background, how the military's
influenced your approach and kind of, you know, day-to-day go
to and maybe some of your deployments just fill us in.
(01:09):
Yeah, so I actually start, I'm doing the military a little
late. So I, I kind of did a little bit
backwards. I when I came out of school, I
went and worked for Fortune 500 company doing insurance,
actually auto insurance pricing.I was in a rotational program
and, and got some, some, some tech experience, but I was one
of those, hey, you plug in a computer and it works types.
(01:30):
But I always wanted to kind of do the military had some in my,
in my family. So I, I joined the Marine Corps
a little bit later after doing that.
And when I went into the Marine Corps, I was a little bit older.
So I, I kind of have the, I'd work for a mature professional
corporation and I knew kind of going in that like how valuable
something like this cybersecurity skill set and just
(01:53):
just it in general would be. So I, I kind of set my sights,
you know, for that direction to learn some of the technical
skill set that I got in the military while also being able
to lead Marines. In the case of me, I would join
the Marine Corps and so I did the did the Marine Corps four
years to reserve after that. In terms of kind of my
(02:16):
experience in the Marine Corps, I, I, I got pretty lucky in when
I came in since 2000, 2010, 2011, we were, we were wrapping
up Afghanistan for the most part.
We're still training some foreign countries to go in
there, but because we were we were focusing on kind of getting
stuff out of Afghanistan. A lot of the stuff in Garrison
(02:39):
was back here at home was you know, some of those, some of
those bigger box, we call it bigbox calm.
So that so that the ones that have kind of the capability of,
of, of, you know, like a cloud service provider really were,
were forward in Afghanistan. So that enabled some of us
smaller units. And I just kind of ended up
right place, right time to be able to do some pretty cool
(03:01):
stuff back here in the rear thatwe would have never gotten to do
because it was, it was more of a, you know, battalion, you
know, dedicated cybersecurity communications company task.
So I got that experience and then I ended up deploying to the
Republic of Georgia. And again, kind of right place,
right time we were, we were training them to go into
(03:24):
Afghanistan because at that point we weren't really sending
new troops, but because of of kind of the strategic importance
of Republic of Georgia border inRussia, right.
And some of the cyber stuff there.
You know, when I was there, our commander got was tired of
driving to the embassy for some of the classified briefings and
reports and I'd have to go with him.
(03:44):
So he's, he's, he said, Hey, I want to bring this out to kind
of where we're stationed. And so I got to set up all of
that with, with Marine forces Europe and, and kind of do some
cool stuff. So that was me post Marine
Corps, I went and worked for MITRE Corporation, who is kind
of the cybersecurity arm, federally funded research
Development center, the cybersecurity arm for the United
(04:06):
States federal government does not have capabilities
themselves. They buy it right from
contractors. In the case of some of the
technical things that they actually set up these FFRD CS,
So federally funded research Development Centers who who are
funded by Congress. So they're not tied to a
specific contract in the sense that they don't they don't want
your well-being tied to that contract, right, In terms of if
(04:28):
you're evaluating the security of say a system that somebody's
selling to the government. So I went and worked for them
and and that's kind of the cybersecurity arm before going back
to school and then starting Oriento.
I love it. So I know there's going to be a
lot of cool stories in there that we'll we'll have to pull
some out, walk us through maybe before we talk a little bit more
about Oriento. Take us back 10:15 plus years.
(04:52):
Hard lesson learned in there, lesson from a mentor.
What? What sticks out?
Yeah, I mean, I think, I think it's, it's, it's the the
military communicates, you know,the Marine Corps specifically
communicates some you learn somegood lessons just because in the
(05:12):
case of the Marine Corps, for example, we're kind of the
technically under the Navy, right.
So we're always getting everything last.
So we need to learn to be very resourceful in terms of, you
know, the equipment, the gear, kind of the way that we execute
missions, which is part of the the, you know, that's been kind
of part of the Marine culture from the beginning.
But I would say some of the lessons are also just basic
(05:34):
business lessons, right? You come in as a young second
Lieutenant in the same way that you come into a new company or
new man and a new department or something and, and kind of the
rule to Hey, give it the thirty 6090 days, right?
Don't start making changes. Sit there, sit back and observe,
right? Because you know, no matter how
(05:55):
messed up you think things are, usually there's probably a
reason for it and you kind of learn it.
So, you know, one of the lessonsI would say, you know, you come
in as a, as a fresh out of training, really excited to get
to the fleet in the Marine Corps.
And, and you start thinking, youknow, I'm going to, we're going
to do this better. We're going to build a better
mousetrap, right? And, and, and, and you'll
definitely get some pushback, especially from the enlisted
(06:17):
side. So again, a lesson you learn in,
in, in large, mature organizations in general, which
is in just leadership in generalto kind of take a step back, you
know, observe and then, you know, put your stamp on it kind
of when the time's right. I think the other thing from a,
from a Marine Corps standpoint at least that we incorporate and
when we started Oriento, the idea was we bring some of this
(06:39):
military technology in the military model at least to the
private civilian world. And that's evolved, but, but
still to this day in kind of ourtraining programs for our entry
level folks, whether they're coming in as AIT help desk or a
sock analyst, the value of that repetition, right?
Within some of the term we stilluse, we run ADOD skill bridge
(07:01):
program where we get a lot of military interns, but we still
use terms like battle rhythm, right?
The the value of, of repetition in training folks on how to do
it is, is very much a military thing that serves us very well.
But you know, at least in our managed services business.
Awesome. So let's for anybody that's not
familiar, let's talk about Oriento right to to us, when we
initially came across you guys, there were some very clear
(07:23):
standouts. But from your perspective now
being in the portfolio for a little while, break us down on
who Oriento is, what do you do? And then what are some key areas
that you really stand out? Sure.
I, I think if, if I were to simplify it, oversimplify it,
probably I would say, you know, we do CMMC.
(07:44):
So the cybersecurity maturity model certification, which is a
new regulation that went into effect December 16th of last
year. I know we'll talk a little bit
more about it, but at the end ofthe day, it's a, it's a
contractual obligation that the federal government starting with
the DoD is enforcing on their 300 + 1000 for do the DoD, you
(08:09):
know, millions for the entire federal government on their
contractor base to protect intellectual property of the
government, right? And we'll talk about what that
means. But but so that, so CMMC is, is
something that we kind of approach to, to kind of go back.
(08:30):
I think it's important to understand CMMC if we're going
to describe what we're doing. So in 2017, the Department of
Defense, again, Department of Defense is kind of leading the
way on some of these efforts and, and particularly CMMC, but
it, but it is heading to the restaurant federal government.
We've seen some of that. But in 2017 the, the DoD came
(08:52):
out and said, Hey, we're going to pass the regulation just like
they did with CMMC and it is going to be a contractual
obligation for around cybersecurity for our contractor
base. But it was a, it was a, it was a
self attestation is what we callit.
So you have to do this stuff, you have to be compliant with
NIST 801 seventy one. And oh, by the way, just just
(09:14):
sign here. And you have to affirm that
you're doing it when you sign the contract.
Yeah, I promise, I promise. I did it real good.
Yes, exactly. As you can imagine, they did.
A couple years later, they did aInspector General kind of to
report to try and where they sampled some contractors to say,
hey, how's this program working,right?
And the answer was, well, not only is our cybersecurity not
(09:37):
any better, but we're being charged on average, I think it
was like $1600 per end user. The government's being charged
because companies are saying that it cost them that much to
comply with this. So it's being passed on to the
government and ultimately fits the bill.
So it's like like ultimate fail,right?
And, and, and that was right around the time when the F35 had
(09:58):
just kind of come out the new fire jet plane and basically
China had it like next week, right?
And it's like, how did how did China have this?
You know, we've been working on this for, for.
Decades. Exactly.
Across the board, yeah. So, so they said, OK, we're
going to take a step back. And that's where CMMC was born
back in 2019, 1020, where they they said, Hey, we're actually
(10:18):
going to put this this third party, we're going to stand up
this entirely new industry of third party auditors, which will
actually come in and certified companies that they're doing
this and that they meet these, you know, 110 security controls
and requirements. And you have to have that
certification to be able to be on DoD contracts, you know,
ultimately federal government contracts.
(10:39):
So that was kind of the big, thebig change.
And then, you know, it's taken them like anything with the
federal government, you know, four to five years to get it
out. And, and December 16th it
officially came out. So back to Oriental and what we
do, we, we were fortunate enoughat that time, a lot of people
like me background and, and federal government contracting
military. And we had a board member,
(11:01):
actually former Marine, who at the time was the SISO, the chief
information security officer of NASA JPL back to that FFRDC
thing and, and MITRE. So NASA JPL is an FFRDC,
federally funded research development center funded by
Congress. Because what they do, you know,
is something that that is needed, you know, to, to be done
(11:22):
and, and, and not put out forbidden contract and be kind
of muddied by private, private contracts.
John Hopkins Advanced Physics Institute and Carnegie Mellon
Software Engineering Institute are, are also FFRDCS.
They're the ones that wrote the CMMC standard.
So because we had this board member who was a CISO, he sat on
(11:42):
the same CISO committees as themwho wrote the standard.
He said, hey, you guys might want to take a look at this.
And, and at that time we kind ofset a strategy to, to go after
it And, and what that strategy was and what we do today is we
are, and we were one of the first an authorized, what's
called an authorized C3 PAOCMMC third party assessor
organization. One of those that the DoD has
(12:03):
come in, they've assessed us, they've cleared us to be able to
be perform these third party assessments and give these
certifications so that people can do business with the
government. There's, I think there's 66 at
last check. So we're one of those 66 and
that and and you know, we also help folks get ready because
sometimes people want an auditor, they want somebody who
(12:24):
who knows how to audit to make sure they're going to pass the
test. So we help folks get ready on
kind of a project basis. That's one side of our business.
The other side of our business is our managed services side,
which is what you know, we, we've been doing on the
commercial side for quite a while, but we also do it now on
the CMMC side and have a lot of growth there.
And, and what that is, is you look at the government
(12:45):
contractor base of the DoD, 80 plus percent of contractors are
30 employees or less. The government, the federal
government drives small businessset asides, right?
They give rewards because they want small businesses, they want
a fragmented supply chain, right.
It's not just the big primes that you think of, the
lockheeds, the boots, Allen's and that kind of thing.
(13:06):
So for them, for those, they don't really have a choice but
to outsource this, right? And so we provide some different
managed services to help them deal with this burden and
basically kind of take, you know, some or all of it off
their plate. I love it not not to.
Seems like the Star Wars jokes always come out when we say
these. Not to be confused with C3PO,
(13:28):
but you guys are. If we, if we, if we look at you
guys as a services company, to be fair, that's where a, a, a, a
big clip of the billing comes from.
So there's, there's two paths. Let's, let's talk about these
two paths just to help everybodyunderstand because this is a
completely new path for our Tasmania out there.
We're I'd say we're very accustomed to over the last few
(13:49):
years getting into the traditional services side VC, so
augmented scope of work, preparedness, things like that.
So we can talk about that a little bit and and we're going
to have some kind of some, some talk around that.
But the other side of it is we've turned down these
opportunities over the years because it was, hey, who do we
have that can actually attest tosay this entity is certified.
(14:14):
We used to always have to say, we don't have anybody they got
to go figure out themselves. So let's, let's talk down these
tracks a little bit. Going down from an assessment
perspective, I guess what do yousee?
Let's start with that first part, right?
Not the the certification side, but the assessing part.
What do you see out there day in, day out?
And if if, if for the advisors that are listening that maybe
(14:36):
haven't ventured into this, whatwould you advise them to to
start incorporating some of waysthey could help their own
customers out and their prospects out?
Sure. I mean, I, I think that I think
the first thing I would say intothe advisors is, is that this
is, this is a specialized thing,right?
(14:59):
And I think, you know, it's a new industry that the federal
government, the DoD has created overnight.
And so there's a lot of attention on it, right?
And a lot of folks that are thinking and, and saying, you
know, hey, this is another high trust, this is another ISO,
right? And what I would say to the kind
of the advisors is just be be careful in terms of positioning
(15:22):
yourself that way because the, the federal government is, you
know, they have the purchasing power and they also have the
DOJ, which is different than some of these others, right?
And, and they have fully wieldedit in this case in terms of, you
know, there's been a ton of pushback over the last four
years on this is too big of a burden.
This is whatever they justify it.
Again, back to the F35. They say that we're losing more
(15:45):
than the defense budget, which is in the trillions, right?
We're losing more than that a year because this information is
basically our adversaries are picking off all these small
suppliers. They're putting it all together
and then they have the plans of the F35, right?
And and they're saying, so if, if we're not going to do this,
well, what's the point? We're just, we're just spending
this money twice. So that's their, that's their,
(16:06):
their logic. So, and they know that the, you
know, the government ultimately foots the bill for this burden.
And that is cheaper than what we're losing to our adversaries,
right? But it's, it's specialized in
the sense. And then what we've seen is, is,
is the False Claims Act, right? Which is something that the,
the, it's been around for a longtime.
The Department of Justice goes after contractors for.
(16:29):
False. Claims right, saying, hey, I do
this right in the past, they hadn't typically used it for
cybersecurity, but with all of this now they're starting to and
you can kind of Google DOJ cybersecurity claims and you're
starting to see them going afterfolks for a testing to
cybersecurity for saying this right.
And I and I just say that because back to the advisors,
this is a specialized thing and the the the stick that is behind
(16:53):
it, right, as well as the carrot.
It's a great business opportunity is a lot more than
than than the ISO community hightrust for sure, which is like
private, right? And some of these other ones
even sock 2 created by AICPA, right, That's ACPA driven
partner driven thing. Not saying those aren't good
compliance standards. They are, but but there's just a
different level of weight. And I would say unfortunately,
(17:18):
you know, with the government, they tend to this whole thing's
based on a National Institute ofStandards and Technology
framework, right? NIST 800-171 Fedramp, for
example, is based on NIST 853, right?
The government tends to trail nosecret here, right?
A little bit in terms of kind ofbeing cutting edge, right in
(17:41):
terms of compliance and technology.
So again, for that reason, like you just have to know this
stuff. And, and for the advisors, I
would say, Hey, go, go get training on this, right?
There are certification courses you can do to be a certified,
you know, practitioner, CMMC certified practitioner, CCP,
even an, an auditor, even if youdon't plan to audit or you're
not working for, for AC3PO, because that really helps to
(18:03):
understand it. But in this new world, right,
where it's literally a new industry being created
overnight, there's just a lot ofmisinformation in snake oil.
And I would just say, Hey, be careful, you know, to, to giving
advice in the space, you know, bring in folks that know what
they're doing while you're learning because it, you know it
(18:24):
three years from now, this will be a more mature industry and
people will know it, right? And, and it'll be, it won't be
the first time all these companies are going through
assessments. But what we're seeing in a lot
of these, our C3PO side of business is they'll go into and,
and we're even talking Fortune 500 companies here, right?
That you would think would know that have the money to invest in
this. And they're finding out that
they're not ready, right? And, and we've even instituted a
(18:46):
process now where we require a mock assessment before we'll do
the actual assessment 'cause we don't want to set our clients up
for failure. And then they're mad at us,
right? We we would rather say, yeah,
that's you're not ready. Yeah, that's huge.
I want to talk about this for a second.
I want to I want to pinpoint on cost and at the risk of drawing
(19:06):
some attention, current political climate, right when
you mentioned what's happening with the Booz Allens and these
giant contractors, this there's this idea of is there waste?
Is there excess? Have we just been checking
boxes? And so I think for the Tasmania
that see any of this going on out there and kind of the
existing political climate, I think this is opportunistic in
(19:26):
that they're going to take a lota very hard look at who the
government is doing business with.
And I think you're going to see some things go out to bid that.
Otherwise you might have been like, oh man, Lockheed's got
that contract for 600 more years, right?
How dare I? I can't ever get into that mix.
And so I think this is an exciting time that you guys have
both paths to offer and a very clearly the, the way that you
(19:50):
talk about these things, you guys have a very profound deep
expertise. So I think for the TAS see this
as opportunity in that. Things before that that may have
been unreachable are now I, I would look at those and I, I
guess the second thing, I would love your feedback on this
before we go kind of down the assessing side.
(20:11):
I, I feel like we're seeing a lot more, you know, the, the
stigma of what a government contract customer might look
like might be this big, huge RFPbid something, something formal
like, Oh my gosh, who's that? Who's going to win that versus
now? It just seems like anybody doing
any sort of business with the federal government with any
subset of data, a traditional private company is, oh, yeah, I
(20:35):
got to have this too, right. So it seems like there's a a
much broader swath of, you know,public sector and private sector
companies that are being, you know, beholden to do this.
Are you seeing the same? I mean even to the to the depths
of it. One thing that I didn't quite
realize when we got into this isinternational, the even the
amount of not just multinational, like based in the
(20:57):
US, but purely international companies that do business with
the Department of Defense, right?
And so we're seeing Sweden, Australia, Canada for sure,
right. Some of these companies that are
this is even a bigger burden forthem because it's probably a
small percentage of what they'rethey're they do business with,
but they have to kind of put this in.
But yeah, I mean, and I think they look, it's federal
(21:21):
government, but if you take themat their word and there are some
programs out there, they are trying to that whole thing I
mentioned where they're 10 yearstrailing, I think they're trying
to do better, right? In the world of AI, you know,
there's a program, there's a lotof companies we see called, it's
called a small business innovator, Innovation research,
SBIR companies, right? Which is kind of like, hey, if
(21:41):
you're a start up and you've gota cool technology, come pitch us
on it and you know, we might give you a contract even if it's
something that we didn't know wewanted to buy, right?
So to your point, it is it's touching not only the big
primes, but but even, you know, companies that traditionally
weren't necessarily looking at government contracting because
of the buying power of the US federal government.
(22:03):
So earlier we talked about, you know, the the two, I always
think of you guys as two forks either going to go help me, you
know, kind of be my virtual CSO and, and do all of these things
for me for this entity or you got to go, hey, Oriento's the
company you're going to bring into the assessments, right?
We got to kind of wall this off.So let's go down.
We went, we went down kind of that CSO type thing earlier.
(22:23):
Let's walk down again, lessons learned for the TAS.
You do so many audits, so many assessments, attestations,
getting everybody ready for that.
What what do you think? What should the advisors gleam
from that and how can they incorporate that side of things?
Think I would say start with scope.
(22:45):
Scope is what's most important in these assessments, right?
And when I say scope, what is being assessed and it seems like
a simple thing, but it's you have to put it into the CMMC
kind of scoping guides. And this is all public
information, right? But at the end of the day, what
CMMC is about is two types of information, right?
(23:07):
That the government considers proprietary and that they're
contractually obligating their contractors to protect.
The 1st is what's called Controlled Unclassified
Information or CUI. It's no different than than, you
know, we have a contract with you Telaris, right?
And we, if we wanted to write inthere something saying, hey,
it's a partner. If we label something
confidential or sensitive, we want you to protect it in this
(23:28):
way, right? You don't have to agree to the
contract, but if you do, then you got to follow it, right?
In the case of the federal government, it's kind of a take
it or leave it. You want to do business with us,
you take it. But so CUI is a replacement for
those who have been in the spaceof the old FOUO program for
official use only. The CUI program replaced that
and in during the Obama White House years.
(23:49):
So that type of information, thegovernment is giving it to their
contractors. They're obligating them to
protect this. The second type is what's called
federal contract information FCI.
It's kind of a catch all that says, hey, well, anything else
that's non public that we might not label it CUI, but that we
you gleaned in this contracting process, we also want you to
protect that. It's kind of a kind of a catch
all, but the point being is whenwe get back to scope, the way
(24:12):
that you define scope is you figure out what people, what
systems, and then where the facilities are that those people
and systems are in, right? Including the cloud, including
Microsoft, including Amazon, right?
And that's your scope. Wherever this information goes,
whatever systems it touches, whatever people's, you know,
conversations or heads or you know, they interact with it, it
(24:34):
goes in. And wherever those two things
are located, that's the scope ofa CMMC assessment.
And the reason that's so important and the, the reason
that we stress that and see problems is, is that if you
don't know how to scope, well, how are you going to have a
conversation with an assessor tosay, here's where you're going
to assess, right? And what you don't want is to
get into the thing where you say, this is our scope and an
(24:54):
assessor looks at it and says, well, no, no, no, this is your
scope, right? Like you just told me that
you're sending CUI an e-mail, but you didn't list your e-mail
system here in scope, right? Because then you're starting
over. So it really does start.
And we see plenty of companies, so we'll, we'll come in after
the fact, right? They've already fired a couple
vendors. And it's like, hey, I hate to
take you back to the basics and the foundation, but let's start
(25:17):
with scope because then you can make, you know, intelligent
decisions on maybe scoping things out and narrowing your
scope. So I think for the technology
advisors, a good asset inventory, people, systems,
locations and whether they touchthe UI is a great starting
point. OK, so if we get, if we get back
to the theme of, of the track, this is about we're layering in
(25:41):
ways to help during discovery calls, right?
So you, you know, you've got this intelligence background,
there's some psychological things, you know, that, that,
that go into this process that you're trained with.
But you know, if our, if our Tasmania are coming from, OK,
maybe I sold CX to this customerbefore, or maybe I sold them
cloud infrastructure. The, the, the listeners on the
(26:02):
podcast are all about trying to figure out, all right, I sold
that. How do I go into this?
Or if I'm doing this, how do I do it differently or more
effective? Or can I learn a tip or trick,
you know, to help me on a new prospect that I'm trying to, you
know, drum something up and say something unique.
So in, in that, if you think about it, how do we, how do we
just start this with the right questions?
I always love to pick everybody's brain.
(26:22):
What are the right questions to ask 'cause this is a really
sensitive topic that demands a certain level of expertise and
confidence and trust. So how do we frame that up and
what's the right question set? I think and, and the technology
advisors I think usually have a,a pretty good idea.
But do they do government contracting, right?
(26:46):
Even if it's state, you know, and then it, and then you need
to understand, OK, well, is it just, is it state government
contracting? Is it local, right.
But if they're doing business with the federal government,
then this is going to be a thing, right?
It either is a thing right now because they already have some
of these clauses and the assessments are starting or you
know, it, it's going to the DoD is kind of a spearheading this.
(27:08):
But we've already seen, you know, Department of Energy,
Department of Homeland Security rights and different things that
are going to be like a close follower.
So that's likely coming. But I, I think that's the
starting point. And then once you have that, I
mean, we don't really see too many problems today.
Now that this has been a law, right?
(27:30):
What we see is more misinformation, right?
People thinking, oh, they're telling me I got to be compliant
tomorrow, right? Well, not quite right.
Like, like this is the world we're in right now.
This is the world we're transitioning to, right?
And, and being able to understand that.
And so I think I think getting the right decision maker that
that understands their government business, right?
And then, and then, and I think the other thing that's that's
(27:52):
really important is what percentage of a company's
revenue, right? How big of a deal is their
government business? Because if, if, even if it's a
Fortune 500 company, if if we'retalking, you know, less than 10%
of their revenue comes to the federal government, right?
Likely back to scope, they're going to be looking at maybe
(28:12):
doing, hey, you know what, we'regoing to carve out this enclave
and we're going to create, I'll use Lockheed Martin dot US for
these 40 users and we're going to just make them work out of
that for when they're doing the the DoD business, right?
And we're going to get that certified.
We don't want to go through, youknow, getting our entire
multinational infrastructure certified, right?
(28:35):
So, so the percentage of their business that this effects
usually it, it it leads towards,well, what are the options in
terms of addressing it, right? Lockheed was a bad example
there. Lockheed booze, right?
What they do is primarily government contracting.
So they're going to have to do their, their they can't really
narrow that scope in that sense.But you know, there are larger
(28:57):
companies that are maybe especially based abroad, things
like that, that we've seen that,that 5% of the revenue comes
from the the DoD, right? And it's, it's like, OK, well,
there's some different options available to you there a lot
quicker and there are just a lotmore confined in terms of scope
and don't open your whole business up to open in the hood.
(29:18):
That's good. OK, so now I'm going to pick
your brain for story time. So I know you got a lot of cool
stories in there. There's probably a bunch of them
that are at a level of security clearance that I myself am not
at, nor can we say broadly, But dig deep.
Funniest, wildest, scariest thing that you can share, that
(29:38):
is declassified, that you know, that you just learned throughout
the years. I will.
So in the in the I shouldn't, I shouldn't associate this with
this, but in the wake of the current signal stuff that's
going on or or the the whole using the wrong messaging app.
(30:02):
Can we shit? Can we shit for anybody that's
not familiar, yeah, You know, people use signal.
Signal is led to be this secure communications thing.
You get Secretary of Defense, VPA, handful of people
communicating, and accidentally added a reporter from the
Atlantic on a text thread for anybody that's not familiar
with. That no big deal and they were
talking about some stuff they showed.
Nothing. Nothing major, just national.
Security just, yeah, just so just so you know, security
(30:24):
clearance violation. So, you know, everybody is
human, human beings, right? They're all people, right.
So when when we were when I was deployed to the Republic of
Georgia, right. One of the things that we were
doing, obviously Georgia's an important strategic location in
the world, right? They were the first ones to
(30:45):
declare independence from the USSR.
But and looking at Ukraine, right and everything's going on
right, Like Russia had done the same thing that they did to
Ukraine in terms of to Georgia back in 2008.
They caught the 10 day war. They basically just came over,
took a couple territories, huge cyber outage and then went back.
(31:06):
So part of it is, is you know, we're building these
relationships with the Georgians, right, Because
they're a strategic partner. It's not just yeah, we're
getting ready to go in Afghanistan.
Yeah, there were some cyber stuff that that we were doing
there that was important to, youknow, not just the Georgians,
but just because of the proximity and, and, and, and you
get trained on that stuff beforeyou go in country, right?
You get trained on, you know, their culture and, and, and, and
(31:29):
to be able to assimilate with them and, and relate.
And, and so one of the things that we got trained on and
warned on was hey, they have these things called supras.
A supra is essentially a, a feast in which you toast what
seems like every 5 minutes and take a shot, right?
(31:50):
And they and, and basically the warning was decline, decline.
It's not disrespectful if you decline and don't show up.
What is disrespectful is if you show up and then you try and bow
out or you're not taking all theshots, right.
And like anything else in life, right, the everybody has to be
in this training. But maybe the senior folks
(32:10):
don't. Maybe they were doing something
else or they weren't, you know, taking it seriously.
And I was, I was one of the younger ones on our staff the
time. So we're walking around downtown
Tbilisi and with another, you know, peer of mine and, and get
a text to say, Hey, show up here, right?
By a, by a senior Marine Fred saying that that ultimately I, I
(32:31):
worked for Hey, show up here, right, OK, show up there, right.
Walk in the door and clearly a super is kicking off right?
And, and, and they were absolutely right in the
training. I will say that this ended with
multiple senior and junior levelfolks, like somebody at some
(32:54):
point had the wherewithal to call one of the senior enlisted
back at base and say, Hey, you better come get us out of here
because this is this is getting out of hand And to the point
where, you know, everybody is puking everywhere.
You know, I don't know, you know, blackout drunk and and we
(33:14):
get again, because you couldn't stop once you once you started,
it would have been disrespectfulto stop.
And we get, you know, we get piled into a into a van and and
it was a less than ideal car ride home and they're trying to
sneak us in the back so the junior Marines don't see us.
So I think that would be one of the the crazier ones where we
(33:34):
should have followed the training.
But but that said, the Georgiansloved us after that they.
Yeah, yeah, your your buddies after that one.
Nobody forgets that story. All right, final couple thoughts
here as we wrap this up. So you know, this is we talk
about government is slow moving,legislation is slow moving, but
there's a lot of sensitive things in security that may
(33:55):
cause it to move quick or may make news and people have to
figure out do they do something with that?
So you just think about like youtalked earlier about playing the
long game, coming into the room,not making changes right away.
So how do we, how do we wrap this up of if something changes
in legislation, how do we stay ready for that?
Does it change? Do we trust the process?
(34:16):
Like what's your? How do you think about things
like that? I'm saying that this is
something that it's had its ups and downs, right?
I mentioned it's been 4 plus years since they kind of started
this journey. They actually rolled it out once
under the, under the regulation of an interim rule, and then
they kind of immediately pulled it back because you have
lobbyists the only answer. So, so this is definitely had
(34:38):
the roller coasters of it's coming, it's not coming or, or
it's changing, right? And, and, but it has gone
through multiple administrations.
This actually started in the first Trump administration.
And so I, I think, you know, what I would say is
cybersecurity is pretty nonpartisan.
It's it's one of those things that both sides of the aisles
(34:59):
tend to get behind with all thisgoing on in the doze in the
world today, this has not been something that's even kind of
remotely hit the radar. And like I said it, the the law
passed, which is the good news, right?
But I think I, I think that the buying power of the federal
government, I mean, every year you guys have got plenty of
(35:22):
vendors, right? Every year there's a new cyber
compliance standard to comply with, right?
Whether it's a state issuing it,whether it's a private
organization, whether it's, you know, international community,
this is not going away. They're only just adding that.
And I think the thing that I would say related to CMMC and,
and Fed ramp kind of by it beingadjacent is, is the buying power
(35:45):
of the US federal government. I mean, when this thing came
out, everybody, Canada, Australia, right, all these
countries wanted to, Canada's got their own version.
Now they wanted to hop on and doyou know, reciprocity with the
DoD and, and, and, and figure out how they can, you know, and
same thing the ISO standards, I trust everybody wants to say,
well, hey, can you give reciprocity for our standard to
CMFC certification, right. And the answer to the DoD
(36:07):
because of the federal government is no.
However, you know, in reverse there, there are some
indications they're going to give, give reciprocity, right
these standards because they want to stay relevant.
But I, I think the bigger thing is, is that because this is the
federal government, how much buying power they have, at some
point this stuff has got to start to consolidate because
(36:28):
it's too burdensome, right? At least at least at the United
States government level, right? So, so the states maybe that,
you know, there becomes a federal standard.
We we would hope, but this is the first time that we've seen
an actual regulation related to auditing, right, and 3rd party
independent and and standing up a whole industry.
And I think, you know, you look at the financial world, right,
(36:51):
and the pre Sox and all that stuff.
This doesn't to me seem that much different than this is the
start of third party inspectionsof people's cybersecurity,
right, Because it's just that important.
You take it back to, you know, it's the fourth generation, next
generation warfare type stuff like this is where the fight is.
And just like the financial stuff is, is important.
(37:14):
I, I think the cyber stuff has been coming that way.
So this idea that there's going to be this third party auditing
arm for this stuff, I think that's that's only growing and
not going away. Does final question, does, does
the quick evolution of AI or compute or GP US or anything,
does that change it as you look forward to the future?
Do we still double down on everything that you said or any
anything else to kind of keep our eye on?
(37:36):
Will, but I think this goes backto that 10 year thing, right?
They're not ready to AI in that way, right?
From a compliance standard, it'sa slow moving thing.
And so this is what it is right now, which is the start, right?
It's the start to then build on.And yes, they will adjust the
security controls by tying it tothe nationalist through the
standards technology. It's not just ADOD thing.
(37:58):
It's not just a one branch thing.
Everybody can tie into it. I think there's a lot more to
learn about AI, but I do think that that will become a part of
this. I think that's just probably
compliance tends to trail behindactual security.
And so you're probably talking, you know, 10 years from now
before you start to see the security controls related to AI
in a compliance standard like NIST, a turn 171.
(38:21):
Awesome. Good stuff, man.
Chris, you dropped a lot of knowledge, a lot of expertise.
Clearly this ain't your first rodeo.
You guys know what you're talking about.
You got a lot of in depth expertise here and so I
appreciate you coming on and sharing some knowledge with us
man. Hey, Jeff.
Appreciate it. All right, everybody, that wraps
us up for today. As always, don't forget episodes
(38:41):
drop every Wednesday so you can catch them whether you're coming
to us from Apple or Spotify. Be sure to get those as they
drop every Wednesday morning fortoday.
That's been the art of discoverycalls, stories from military
intelligence negotiation. Chris Rose Oriento.
I'm your host, Joshua Presto, SVP of sales engineering at
Solaris. Until next time.
Next Level Biztech has been a production of Solaris Studio 19.
(39:04):
Please visit telaris.com For more information.
Welcome to the podcast designed to fuel your success selling
technology solutions. I'm your host, Josh La Presto,
SVP of Sales Engineering at Solaris, and this is Next Level
Biztech. Everybody, welcome back.
We're on a fun, exciting track today, talking about security,
talking about military history, intelligence negotiation, all
(00:24):
kinds of fun stuff Today. It is the art of discovery
calls, stories from military intelligence negotiation on with
us today. We have got Chris Rose Ariento.
Chris, welcome on man. Chef happy to be here.
Yeah, newer supplier to the Telaris portfolio, but you've
got a lot of differentiating things to offer that we have
(00:47):
never had before. So we're excited about that.
We're going to uncover that a little bit today and we're going
to maybe we'll just we'll start this off a little bit about your
past. So you've got some cool military
training. So maybe just walk us through a
little bit about your background, how the military's
influenced your approach and kind of, you know, day-to-day go
to and maybe some of your deployments just fill us in.
(01:09):
Yeah, so I actually start, I'm doing the military a little
late. So I, I kind of did a little bit
backwards. I when I came out of school, I
went and worked for Fortune 500 company doing insurance,
actually auto insurance pricing.I was in a rotational program
and, and got some, some, some tech experience, but I was one
of those, hey, you plug in a computer and it works types.
(01:30):
But I always wanted to kind of do the military had some in my,
in my family. So I, I joined the Marine Corps
a little bit later after doing that.
And when I went into the Marine Corps, I was a little bit older.
So I, I kind of have the, I'd work for a mature professional
corporation and I knew kind of going in that like how valuable
something like this cybersecurity skill set and just
(01:53):
just it in general would be. So I, I kind of set my sights,
you know, for that direction to learn some of the technical
skill set that I got in the military while also being able
to lead Marines. In the case of me, I would join
the Marine Corps and so I did the did the Marine Corps four
years to reserve after that. In terms of kind of my
(02:16):
experience in the Marine Corps, I, I, I got pretty lucky in when
I came in since 2000, 2010, 2011, we were, we were wrapping
up Afghanistan for the most part.
We're still training some foreign countries to go in
there, but because we were we were focusing on kind of getting
stuff out of Afghanistan. A lot of the stuff in Garrison
(02:39):
was back here at home was you know, some of those, some of
those bigger box, we call it bigbox calm.
So that so that the ones that have kind of the capability of,
of, of, you know, like a cloud service provider really were,
were forward in Afghanistan. So that enabled some of us
smaller units. And I just kind of ended up
right place, right time to be able to do some pretty cool
(03:01):
stuff back here in the rear thatwe would have never gotten to do
because it was, it was more of a, you know, battalion, you
know, dedicated cybersecurity communications company task.
So I got that experience and then I ended up deploying to the
Republic of Georgia. And again, kind of right place,
right time we were, we were training them to go into
(03:24):
Afghanistan because at that point we weren't really sending
new troops, but because of of kind of the strategic importance
of Republic of Georgia border inRussia, right.
And some of the cyber stuff there.
You know, when I was there, our commander got was tired of
driving to the embassy for some of the classified briefings and
reports and I'd have to go with him.
(03:44):
So he's, he's, he said, Hey, I want to bring this out to kind
of where we're stationed. And so I got to set up all of
that with, with Marine forces Europe and, and kind of do some
cool stuff. So that was me post Marine
Corps, I went and worked for MITRE Corporation, who is kind
of the cybersecurity arm, federally funded research
Development center, the cybersecurity arm for the United
(04:06):
States federal government does not have capabilities
themselves. They buy it right from
contractors. In the case of some of the
technical things that they actually set up these FFRD CS,
So federally funded research Development Centers who who are
funded by Congress. So they're not tied to a
specific contract in the sense that they don't they don't want
your well-being tied to that contract, right, In terms of if
(04:28):
you're evaluating the security of say a system that somebody's
selling to the government. So I went and worked for them
and and that's kind of the cybersecurity arm before going back
to school and then starting Oriento.
I love it. So I know there's going to be a
lot of cool stories in there that we'll we'll have to pull
some out, walk us through maybe before we talk a little bit more
about Oriento. Take us back 10:15 plus years.
(04:52):
Hard lesson learned in there, lesson from a mentor.
What? What sticks out?
Yeah, I mean, I think, I think it's, it's, it's the the
military communicates, you know,the Marine Corps specifically
communicates some you learn somegood lessons just because in the
(05:12):
case of the Marine Corps, for example, we're kind of the
technically under the Navy, right.
So we're always getting everything last.
So we need to learn to be very resourceful in terms of, you
know, the equipment, the gear, kind of the way that we execute
missions, which is part of the the, you know, that's been kind
of part of the Marine culture from the beginning.
But I would say some of the lessons are also just basic
(05:34):
business lessons, right? You come in as a young second
Lieutenant in the same way that you come into a new company or
new man and a new department or something and, and kind of the
rule to Hey, give it the thirty 6090 days, right?
Don't start making changes. Sit there, sit back and observe,
right? Because you know, no matter how
(05:55):
messed up you think things are, usually there's probably a
reason for it and you kind of learn it.
So, you know, one of the lessonsI would say, you know, you come
in as a, as a fresh out of training, really excited to get
to the fleet in the Marine Corps.
And, and you start thinking, youknow, I'm going to, we're going
to do this better. We're going to build a better
mousetrap, right? And, and, and, and you'll
definitely get some pushback, especially from the enlisted
(06:17):
side. So again, a lesson you learn in,
in, in large, mature organizations in general, which
is in just leadership in generalto kind of take a step back, you
know, observe and then, you know, put your stamp on it kind
of when the time's right. I think the other thing from a,
from a Marine Corps standpoint at least that we incorporate and
when we started Oriento, the idea was we bring some of this
(06:39):
military technology in the military model at least to the
private civilian world. And that's evolved, but, but
still to this day in kind of ourtraining programs for our entry
level folks, whether they're coming in as AIT help desk or a
sock analyst, the value of that repetition, right?
Within some of the term we stilluse, we run ADOD skill bridge
(07:01):
program where we get a lot of military interns, but we still
use terms like battle rhythm, right?
The the value of, of repetition in training folks on how to do
it is, is very much a military thing that serves us very well.
But you know, at least in our managed services business.
Awesome. So let's for anybody that's not
familiar, let's talk about Oriento right to to us, when we
initially came across you guys, there were some very clear
(07:23):
standouts. But from your perspective now
being in the portfolio for a little while, break us down on
who Oriento is, what do you do? And then what are some key areas
that you really stand out? Sure.
I, I think if, if I were to simplify it, oversimplify it,
probably I would say, you know, we do CMMC.
(07:44):
So the cybersecurity maturity model certification, which is a
new regulation that went into effect December 16th of last
year. I know we'll talk a little bit
more about it, but at the end ofthe day, it's a, it's a
contractual obligation that the federal government starting with
the DoD is enforcing on their 300 + 1000 for do the DoD, you
(08:09):
know, millions for the entire federal government on their
contractor base to protect intellectual property of the
government, right? And we'll talk about what that
means. But but so that, so CMMC is, is
something that we kind of approach to, to kind of go back.
(08:30):
I think it's important to understand CMMC if we're going
to describe what we're doing. So in 2017, the Department of
Defense, again, Department of Defense is kind of leading the
way on some of these efforts and, and particularly CMMC, but
it, but it is heading to the restaurant federal government.
We've seen some of that. But in 2017 the, the DoD came
(08:52):
out and said, Hey, we're going to pass the regulation just like
they did with CMMC and it is going to be a contractual
obligation for around cybersecurity for our contractor
base. But it was a, it was a, it was a
self attestation is what we callit.
So you have to do this stuff, you have to be compliant with
NIST 801 seventy one. And oh, by the way, just just
(09:14):
sign here. And you have to affirm that
you're doing it when you sign the contract.
Yeah, I promise, I promise. I did it real good.
Yes, exactly. As you can imagine, they did.
A couple years later, they did aInspector General kind of to
report to try and where they sampled some contractors to say,
hey, how's this program working,right?
And the answer was, well, not only is our cybersecurity not
(09:37):
any better, but we're being charged on average, I think it
was like $1600 per end user. The government's being charged
because companies are saying that it cost them that much to
comply with this. So it's being passed on to the
government and ultimately fits the bill.
So it's like like ultimate fail,right?
And, and, and that was right around the time when the F35 had
(09:58):
just kind of come out the new fire jet plane and basically
China had it like next week, right?
And it's like, how did how did China have this?
You know, we've been working on this for, for.
Decades. Exactly.
Across the board, yeah. So, so they said, OK, we're
going to take a step back. And that's where CMMC was born
back in 2019, 1020, where they they said, Hey, we're actually
(10:18):
going to put this this third party, we're going to stand up
this entirely new industry of third party auditors, which will
actually come in and certified companies that they're doing
this and that they meet these, you know, 110 security controls
and requirements. And you have to have that
certification to be able to be on DoD contracts, you know,
ultimately federal government contracts.
(10:39):
So that was kind of the big, thebig change.
And then, you know, it's taken them like anything with the
federal government, you know, four to five years to get it
out. And, and December 16th it
officially came out. So back to Oriental and what we
do, we, we were fortunate enoughat that time, a lot of people
like me background and, and federal government contracting
military. And we had a board member,
(11:01):
actually former Marine, who at the time was the SISO, the chief
information security officer of NASA JPL back to that FFRDC
thing and, and MITRE. So NASA JPL is an FFRDC,
federally funded research development center funded by
Congress. Because what they do, you know,
is something that that is needed, you know, to, to be done
(11:22):
and, and, and not put out forbidden contract and be kind
of muddied by private, private contracts.
John Hopkins Advanced Physics Institute and Carnegie Mellon
Software Engineering Institute are, are also FFRDCS.
They're the ones that wrote the CMMC standard.
So because we had this board member who was a CISO, he sat on
(11:42):
the same CISO committees as themwho wrote the standard.
He said, hey, you guys might want to take a look at this.
And, and at that time we kind ofset a strategy to, to go after
it And, and what that strategy was and what we do today is we
are, and we were one of the first an authorized, what's
called an authorized C3 PAOCMMC third party assessor
organization. One of those that the DoD has
(12:03):
come in, they've assessed us, they've cleared us to be able to
be perform these third party assessments and give these
certifications so that people can do business with the
government. There's, I think there's 66 at
last check. So we're one of those 66 and
that and and you know, we also help folks get ready because
sometimes people want an auditor, they want somebody who
(12:24):
who knows how to audit to make sure they're going to pass the
test. So we help folks get ready on
kind of a project basis. That's one side of our business.
The other side of our business is our managed services side,
which is what you know, we, we've been doing on the
commercial side for quite a while, but we also do it now on
the CMMC side and have a lot of growth there.
And, and what that is, is you look at the government
(12:45):
contractor base of the DoD, 80 plus percent of contractors are
30 employees or less. The government, the federal
government drives small businessset asides, right?
They give rewards because they want small businesses, they want
a fragmented supply chain, right.
It's not just the big primes that you think of, the
lockheeds, the boots, Allen's and that kind of thing.
(13:06):
So for them, for those, they don't really have a choice but
to outsource this, right? And so we provide some different
managed services to help them deal with this burden and
basically kind of take, you know, some or all of it off
their plate. I love it not not to.
Seems like the Star Wars jokes always come out when we say
these. Not to be confused with C3PO,
(13:28):
but you guys are. If we, if we, if we look at you
guys as a services company, to be fair, that's where a, a, a, a
big clip of the billing comes from.
So there's, there's two paths. Let's, let's talk about these
two paths just to help everybodyunderstand because this is a
completely new path for our Tasmania out there.
We're I'd say we're very accustomed to over the last few
(13:49):
years getting into the traditional services side VC, so
augmented scope of work, preparedness, things like that.
So we can talk about that a little bit and and we're going
to have some kind of some, some talk around that.
But the other side of it is we've turned down these
opportunities over the years because it was, hey, who do we
have that can actually attest tosay this entity is certified.
(14:14):
We used to always have to say, we don't have anybody they got
to go figure out themselves. So let's, let's talk down these
tracks a little bit. Going down from an assessment
perspective, I guess what do yousee?
Let's start with that first part, right?
Not the the certification side, but the assessing part.
What do you see out there day in, day out?
And if if, if for the advisors that are listening that maybe
(14:36):
haven't ventured into this, whatwould you advise them to to
start incorporating some of waysthey could help their own
customers out and their prospects out?
Sure. I mean, I, I think that I think
the first thing I would say intothe advisors is, is that this
is, this is a specialized thing,right?
(14:59):
And I think, you know, it's a new industry that the federal
government, the DoD has created overnight.
And so there's a lot of attention on it, right?
And a lot of folks that are thinking and, and saying, you
know, hey, this is another high trust, this is another ISO,
right? And what I would say to the kind
of the advisors is just be be careful in terms of positioning
(15:22):
yourself that way because the, the federal government is, you
know, they have the purchasing power and they also have the
DOJ, which is different than some of these others, right?
And, and they have fully wieldedit in this case in terms of, you
know, there's been a ton of pushback over the last four
years on this is too big of a burden.
This is whatever they justify it.
Again, back to the F35. They say that we're losing more
(15:45):
than the defense budget, which is in the trillions, right?
We're losing more than that a year because this information is
basically our adversaries are picking off all these small
suppliers. They're putting it all together
and then they have the plans of the F35, right?
And and they're saying, so if, if we're not going to do this,
well, what's the point? We're just, we're just spending
this money twice. So that's their, that's their,
(16:06):
their logic. So, and they know that the, you
know, the government ultimately foots the bill for this burden.
And that is cheaper than what we're losing to our adversaries,
right? But it's, it's specialized in
the sense. And then what we've seen is, is,
is the False Claims Act, right? Which is something that the,
the, it's been around for a longtime.
The Department of Justice goes after contractors for.
(16:29):
False. Claims right, saying, hey, I do
this right in the past, they hadn't typically used it for
cybersecurity, but with all of this now they're starting to and
you can kind of Google DOJ cybersecurity claims and you're
starting to see them going afterfolks for a testing to
cybersecurity for saying this right.
And I and I just say that because back to the advisors,
this is a specialized thing and the the the stick that is behind
(16:53):
it, right, as well as the carrot.
It's a great business opportunity is a lot more than
than than the ISO community hightrust for sure, which is like
private, right? And some of these other ones
even sock 2 created by AICPA, right, That's ACPA driven
partner driven thing. Not saying those aren't good
compliance standards. They are, but but there's just a
different level of weight. And I would say unfortunately,
(17:18):
you know, with the government, they tend to this whole thing's
based on a National Institute ofStandards and Technology
framework, right? NIST 800-171 Fedramp, for
example, is based on NIST 853, right?
The government tends to trail nosecret here, right?
A little bit in terms of kind ofbeing cutting edge, right in
(17:41):
terms of compliance and technology.
So again, for that reason, like you just have to know this
stuff. And, and for the advisors, I
would say, Hey, go, go get training on this, right?
There are certification courses you can do to be a certified,
you know, practitioner, CMMC certified practitioner, CCP,
even an, an auditor, even if youdon't plan to audit or you're
not working for, for AC3PO, because that really helps to
(18:03):
understand it. But in this new world, right,
where it's literally a new industry being created
overnight, there's just a lot ofmisinformation in snake oil.
And I would just say, Hey, be careful, you know, to, to giving
advice in the space, you know, bring in folks that know what
they're doing while you're learning because it, you know it
(18:24):
three years from now, this will be a more mature industry and
people will know it, right? And, and it'll be, it won't be
the first time all these companies are going through
assessments. But what we're seeing in a lot
of these, our C3PO side of business is they'll go into and,
and we're even talking Fortune 500 companies here, right?
That you would think would know that have the money to invest in
this. And they're finding out that
they're not ready, right? And, and we've even instituted a
(18:46):
process now where we require a mock assessment before we'll do
the actual assessment 'cause we don't want to set our clients up
for failure. And then they're mad at us,
right? We we would rather say, yeah,
that's you're not ready. Yeah, that's huge.
I want to talk about this for a second.
I want to I want to pinpoint on cost and at the risk of drawing
(19:06):
some attention, current political climate, right when
you mentioned what's happening with the Booz Allens and these
giant contractors, this there's this idea of is there waste?
Is there excess? Have we just been checking
boxes? And so I think for the Tasmania
that see any of this going on out there and kind of the
existing political climate, I think this is opportunistic in
(19:26):
that they're going to take a lota very hard look at who the
government is doing business with.
And I think you're going to see some things go out to bid that.
Otherwise you might have been like, oh man, Lockheed's got
that contract for 600 more years, right?
How dare I? I can't ever get into that mix.
And so I think this is an exciting time that you guys have
both paths to offer and a very clearly the, the way that you
(19:50):
talk about these things, you guys have a very profound deep
expertise. So I think for the TAS see this
as opportunity in that. Things before that that may have
been unreachable are now I, I would look at those and I, I
guess the second thing, I would love your feedback on this
before we go kind of down the assessing side.
(20:11):
I, I feel like we're seeing a lot more, you know, the, the
stigma of what a government contract customer might look
like might be this big, huge RFPbid something, something formal
like, Oh my gosh, who's that? Who's going to win that versus
now? It just seems like anybody doing
any sort of business with the federal government with any
subset of data, a traditional private company is, oh, yeah, I
(20:35):
got to have this too, right. So it seems like there's a a
much broader swath of, you know,public sector and private sector
companies that are being, you know, beholden to do this.
Are you seeing the same? I mean even to the to the depths
of it. One thing that I didn't quite
realize when we got into this isinternational, the even the
amount of not just multinational, like based in the
(20:57):
US, but purely international companies that do business with
the Department of Defense, right?
And so we're seeing Sweden, Australia, Canada for sure,
right. Some of these companies that are
this is even a bigger burden forthem because it's probably a
small percentage of what they'rethey're they do business with,
but they have to kind of put this in.
But yeah, I mean, and I think they look, it's federal
(21:21):
government, but if you take themat their word and there are some
programs out there, they are trying to that whole thing I
mentioned where they're 10 yearstrailing, I think they're trying
to do better, right? In the world of AI, you know,
there's a program, there's a lotof companies we see called, it's
called a small business innovator, Innovation research,
SBIR companies, right? Which is kind of like, hey, if
(21:41):
you're a start up and you've gota cool technology, come pitch us
on it and you know, we might give you a contract even if it's
something that we didn't know wewanted to buy, right?
So to your point, it is it's touching not only the big
primes, but but even, you know, companies that traditionally
weren't necessarily looking at government contracting because
of the buying power of the US federal government.
(22:03):
So earlier we talked about, you know, the the two, I always
think of you guys as two forks either going to go help me, you
know, kind of be my virtual CSO and, and do all of these things
for me for this entity or you got to go, hey, Oriento's the
company you're going to bring into the assessments, right?
We got to kind of wall this off.So let's go down.
We went, we went down kind of that CSO type thing earlier.
(22:23):
Let's walk down again, lessons learned for the TAS.
You do so many audits, so many assessments, attestations,
getting everybody ready for that.
What what do you think? What should the advisors gleam
from that and how can they incorporate that side of things?
Think I would say start with scope.
(22:45):
Scope is what's most important in these assessments, right?
And when I say scope, what is being assessed and it seems like
a simple thing, but it's you have to put it into the CMMC
kind of scoping guides. And this is all public
information, right? But at the end of the day, what
CMMC is about is two types of information, right?
(23:07):
That the government considers proprietary and that they're
contractually obligating their contractors to protect.
The 1st is what's called Controlled Unclassified
Information or CUI. It's no different than than, you
know, we have a contract with you Telaris, right?
And we, if we wanted to write inthere something saying, hey,
it's a partner. If we label something
confidential or sensitive, we want you to protect it in this
(23:28):
way, right? You don't have to agree to the
contract, but if you do, then you got to follow it, right?
In the case of the federal government, it's kind of a take
it or leave it. You want to do business with us,
you take it. But so CUI is a replacement for
those who have been in the spaceof the old FOUO program for
official use only. The CUI program replaced that
and in during the Obama White House years.
(23:49):
So that type of information, thegovernment is giving it to their
contractors. They're obligating them to
protect this. The second type is what's called
federal contract information FCI.
It's kind of a catch all that says, hey, well, anything else
that's non public that we might not label it CUI, but that we
you gleaned in this contracting process, we also want you to
protect that. It's kind of a kind of a catch
all, but the point being is whenwe get back to scope, the way
(24:12):
that you define scope is you figure out what people, what
systems, and then where the facilities are that those people
and systems are in, right? Including the cloud, including
Microsoft, including Amazon, right?
And that's your scope. Wherever this information goes,
whatever systems it touches, whatever people's, you know,
conversations or heads or you know, they interact with it, it
(24:34):
goes in. And wherever those two things
are located, that's the scope ofa CMMC assessment.
And the reason that's so important and the, the reason
that we stress that and see problems is, is that if you
don't know how to scope, well, how are you going to have a
conversation with an assessor tosay, here's where you're going
to assess, right? And what you don't want is to
get into the thing where you say, this is our scope and an
(24:54):
assessor looks at it and says, well, no, no, no, this is your
scope, right? Like you just told me that
you're sending CUI an e-mail, but you didn't list your e-mail
system here in scope, right? Because then you're starting
over. So it really does start.
And we see plenty of companies, so we'll, we'll come in after
the fact, right? They've already fired a couple
vendors. And it's like, hey, I hate to
take you back to the basics and the foundation, but let's start
(25:17):
with scope because then you can make, you know, intelligent
decisions on maybe scoping things out and narrowing your
scope. So I think for the technology
advisors, a good asset inventory, people, systems,
locations and whether they touchthe UI is a great starting
point. OK, so if we get, if we get back
to the theme of, of the track, this is about we're layering in
(25:41):
ways to help during discovery calls, right?
So you, you know, you've got this intelligence background,
there's some psychological things, you know, that, that,
that go into this process that you're trained with.
But you know, if our, if our Tasmania are coming from, OK,
maybe I sold CX to this customerbefore, or maybe I sold them
cloud infrastructure. The, the, the listeners on the
(26:02):
podcast are all about trying to figure out, all right, I sold
that. How do I go into this?
Or if I'm doing this, how do I do it differently or more
effective? Or can I learn a tip or trick,
you know, to help me on a new prospect that I'm trying to, you
know, drum something up and say something unique.
So in, in that, if you think about it, how do we, how do we
just start this with the right questions?
I always love to pick everybody's brain.
(26:22):
What are the right questions to ask 'cause this is a really
sensitive topic that demands a certain level of expertise and
confidence and trust. So how do we frame that up and
what's the right question set? I think and, and the technology
advisors I think usually have a,a pretty good idea.
But do they do government contracting, right?
(26:46):
Even if it's state, you know, and then it, and then you need
to understand, OK, well, is it just, is it state government
contracting? Is it local, right.
But if they're doing business with the federal government,
then this is going to be a thing, right?
It either is a thing right now because they already have some
of these clauses and the assessments are starting or you
know, it, it's going to the DoD is kind of a spearheading this.
(27:08):
But we've already seen, you know, Department of Energy,
Department of Homeland Security rights and different things that
are going to be like a close follower.
So that's likely coming. But I, I think that's the
starting point. And then once you have that, I
mean, we don't really see too many problems today.
Now that this has been a law, right?
(27:30):
What we see is more misinformation, right?
People thinking, oh, they're telling me I got to be compliant
tomorrow, right? Well, not quite right.
Like, like this is the world we're in right now.
This is the world we're transitioning to, right?
And, and being able to understand that.
And so I think I think getting the right decision maker that
that understands their government business, right?
And then, and then, and I think the other thing that's that's
(27:52):
really important is what percentage of a company's
revenue, right? How big of a deal is their
government business? Because if, if, even if it's a
Fortune 500 company, if if we'retalking, you know, less than 10%
of their revenue comes to the federal government, right?
Likely back to scope, they're going to be looking at maybe
(28:12):
doing, hey, you know what, we'regoing to carve out this enclave
and we're going to create, I'll use Lockheed Martin dot US for
these 40 users and we're going to just make them work out of
that for when they're doing the the DoD business, right?
And we're going to get that certified.
We don't want to go through, youknow, getting our entire
multinational infrastructure certified, right?
(28:35):
So, so the percentage of their business that this effects
usually it, it it leads towards,well, what are the options in
terms of addressing it, right? Lockheed was a bad example
there. Lockheed booze, right?
What they do is primarily government contracting.
So they're going to have to do their, their they can't really
narrow that scope in that sense.But you know, there are larger
(28:57):
companies that are maybe especially based abroad, things
like that, that we've seen that,that 5% of the revenue comes
from the the DoD, right? And it's, it's like, OK, well,
there's some different options available to you there a lot
quicker and there are just a lotmore confined in terms of scope
and don't open your whole business up to open in the hood.
(29:18):
That's good. OK, so now I'm going to pick
your brain for story time. So I know you got a lot of cool
stories in there. There's probably a bunch of them
that are at a level of security clearance that I myself am not
at, nor can we say broadly, But dig deep.
Funniest, wildest, scariest thing that you can share, that
(29:38):
is declassified, that you know, that you just learned throughout
the years. I will.
So in the in the I shouldn't, I shouldn't associate this with
this, but in the wake of the current signal stuff that's
going on or or the the whole using the wrong messaging app.
(30:02):
Can we shit? Can we shit for anybody that's
not familiar, yeah, You know, people use signal.
Signal is led to be this secure communications thing.
You get Secretary of Defense, VPA, handful of people
communicating, and accidentally added a reporter from the
Atlantic on a text thread for anybody that's not familiar
with. That no big deal and they were
talking about some stuff they showed.
Nothing. Nothing major, just national.
Security just, yeah, just so just so you know, security
(30:24):
clearance violation. So, you know, everybody is
human, human beings, right? They're all people, right.
So when when we were when I was deployed to the Republic of
Georgia, right. One of the things that we were
doing, obviously Georgia's an important strategic location in
the world, right? They were the first ones to
(30:45):
declare independence from the USSR.
But and looking at Ukraine, right and everything's going on
right, Like Russia had done the same thing that they did to
Ukraine in terms of to Georgia back in 2008.
They caught the 10 day war. They basically just came over,
took a couple territories, huge cyber outage and then went back.
(31:06):
So part of it is, is you know, we're building these
relationships with the Georgians, right, Because
they're a strategic partner. It's not just yeah, we're
getting ready to go in Afghanistan.
Yeah, there were some cyber stuff that that we were doing
there that was important to, youknow, not just the Georgians,
but just because of the proximity and, and, and, and you
get trained on that stuff beforeyou go in country, right?
You get trained on, you know, their culture and, and, and, and
(31:29):
to be able to assimilate with them and, and relate.
And, and so one of the things that we got trained on and
warned on was hey, they have these things called supras.
A supra is essentially a, a feast in which you toast what
seems like every 5 minutes and take a shot, right?
(31:50):
And they and, and basically the warning was decline, decline.
It's not disrespectful if you decline and don't show up.
What is disrespectful is if you show up and then you try and bow
out or you're not taking all theshots, right.
And like anything else in life, right, the everybody has to be
in this training. But maybe the senior folks
(32:10):
don't. Maybe they were doing something
else or they weren't, you know, taking it seriously.
And I was, I was one of the younger ones on our staff the
time. So we're walking around downtown
Tbilisi and with another, you know, peer of mine and, and get
a text to say, Hey, show up here, right?
By a, by a senior Marine Fred saying that that ultimately I, I
(32:31):
worked for Hey, show up here, right, OK, show up there, right.
Walk in the door and clearly a super is kicking off right?
And, and, and they were absolutely right in the
training. I will say that this ended with
multiple senior and junior levelfolks, like somebody at some
(32:54):
point had the wherewithal to call one of the senior enlisted
back at base and say, Hey, you better come get us out of here
because this is this is getting out of hand And to the point
where, you know, everybody is puking everywhere.
You know, I don't know, you know, blackout drunk and and we
(33:14):
get again, because you couldn't stop once you once you started,
it would have been disrespectfulto stop.
And we get, you know, we get piled into a into a van and and
it was a less than ideal car ride home and they're trying to
sneak us in the back so the junior Marines don't see us.
So I think that would be one of the the crazier ones where we
(33:34):
should have followed the training.
But but that said, the Georgiansloved us after that they.
Yeah, yeah, your your buddies after that one.
Nobody forgets that story. All right, final couple thoughts
here as we wrap this up. So you know, this is we talk
about government is slow moving,legislation is slow moving, but
there's a lot of sensitive things in security that may
(33:55):
cause it to move quick or may make news and people have to
figure out do they do something with that?
So you just think about like youtalked earlier about playing the
long game, coming into the room,not making changes right away.
So how do we, how do we wrap this up of if something changes
in legislation, how do we stay ready for that?
Does it change? Do we trust the process?
(34:16):
Like what's your? How do you think about things
like that? I'm saying that this is
something that it's had its ups and downs, right?
I mentioned it's been 4 plus years since they kind of started
this journey. They actually rolled it out once
under the, under the regulation of an interim rule, and then
they kind of immediately pulled it back because you have
lobbyists the only answer. So, so this is definitely had
(34:38):
the roller coasters of it's coming, it's not coming or, or
it's changing, right? And, and, but it has gone
through multiple administrations.
This actually started in the first Trump administration.
And so I, I think, you know, what I would say is
cybersecurity is pretty nonpartisan.
It's it's one of those things that both sides of the aisles
(34:59):
tend to get behind with all thisgoing on in the doze in the
world today, this has not been something that's even kind of
remotely hit the radar. And like I said it, the the law
passed, which is the good news, right?
But I think I, I think that the buying power of the federal
government, I mean, every year you guys have got plenty of
(35:22):
vendors, right? Every year there's a new cyber
compliance standard to comply with, right?
Whether it's a state issuing it,whether it's a private
organization, whether it's, you know, international community,
this is not going away. They're only just adding that.
And I think the thing that I would say related to CMMC and,
and Fed ramp kind of by it beingadjacent is, is the buying power
(35:45):
of the US federal government. I mean, when this thing came
out, everybody, Canada, Australia, right, all these
countries wanted to, Canada's got their own version.
Now they wanted to hop on and doyou know, reciprocity with the
DoD and, and, and, and figure out how they can, you know, and
same thing the ISO standards, I trust everybody wants to say,
well, hey, can you give reciprocity for our standard to
CMFC certification, right. And the answer to the DoD
(36:07):
because of the federal government is no.
However, you know, in reverse there, there are some
indications they're going to give, give reciprocity, right
these standards because they want to stay relevant.
But I, I think the bigger thing is, is that because this is the
federal government, how much buying power they have, at some
point this stuff has got to start to consolidate because
(36:28):
it's too burdensome, right? At least at least at the United
States government level, right? So, so the states maybe that,
you know, there becomes a federal standard.
We we would hope, but this is the first time that we've seen
an actual regulation related to auditing, right, and 3rd party
independent and and standing up a whole industry.
And I think, you know, you look at the financial world, right,
(36:51):
and the pre Sox and all that stuff.
This doesn't to me seem that much different than this is the
start of third party inspectionsof people's cybersecurity,
right, Because it's just that important.
You take it back to, you know, it's the fourth generation, next
generation warfare type stuff like this is where the fight is.
And just like the financial stuff is, is important.
(37:14):
I, I think the cyber stuff has been coming that way.
So this idea that there's going to be this third party auditing
arm for this stuff, I think that's that's only growing and
not going away. Does final question, does, does
the quick evolution of AI or compute or GP US or anything,
does that change it as you look forward to the future?
Do we still double down on everything that you said or any
anything else to kind of keep our eye on?
(37:36):
Will, but I think this goes backto that 10 year thing, right?
They're not ready to AI in that way, right?
From a compliance standard, it'sa slow moving thing.
And so this is what it is right now, which is the start, right?
It's the start to then build on.And yes, they will adjust the
security controls by tying it tothe nationalist through the
standards technology. It's not just ADOD thing.
(37:58):
It's not just a one branch thing.
Everybody can tie into it. I think there's a lot more to
learn about AI, but I do think that that will become a part of
this. I think that's just probably
compliance tends to trail behindactual security.
And so you're probably talking, you know, 10 years from now
before you start to see the security controls related to AI
in a compliance standard like NIST, a turn 171.
(38:21):
Awesome. Good stuff, man.
Chris, you dropped a lot of knowledge, a lot of expertise.
Clearly this ain't your first rodeo.
You guys know what you're talking about.
You got a lot of in depth expertise here and so I
appreciate you coming on and sharing some knowledge with us
man. Hey, Jeff.
Appreciate it. All right, everybody, that wraps
us up for today. As always, don't forget episodes
(38:41):
drop every Wednesday so you can catch them whether you're coming
to us from Apple or Spotify. Be sure to get those as they
drop every Wednesday morning fortoday.
That's been the art of discoverycalls, stories from military
intelligence negotiation. Chris Rose Oriento.
I'm your host, Joshua Presto, SVP of sales engineering at
Solaris. Until next time.
Next Level Biztech has been a production of Solaris Studio 19.
(39:04):
Please visit telaris.com For more information.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.