Decoding SBIR DoD Compliance
Join us for a fireside chat with OpenGrants CEO, Sedale Turbovsky, and Elias Mourany, cybersecurity expert and CEO of Marius Group.
In This 1-Hour Session, We Covered:
- DoD Cybersecurity requirements for grant and contract awardees
- Steps to take to better secure your enterprise today
- Questions on standards such as ISO 27001, NIST SP800-171 and CMMC 2.0.
This webinar is perfect for both grant submitters awaiting awards, and current grant awardees. Elias has deep expertise in this space, we will have a question and answer period where we can address topics like technical controls and dive into specific regulatory requirements.
About the Speakers
Sedale Turbovsky, Co-Founder & CEO, OpenGrants
Sedale Turbovsky is the CEO and co-founder of OpenGrants, a venture-backed startup focused on building modern infrastructure for funding. He has been an entrepreneur since childhood. After honing his leadership skills as an outdoor guide in his younger years, he started his professional career as an independent consultant focused on delivering data products and digital strategies to enterprise clients in South America. He is experienced in independent grant writing and public/private partnerships at the highest level, having worked directly with OpenGrants’ current strategic partner, Momentum.
Elias Mourany, CEO, Marius Group
Elias Mourany is the Chief Executive Officer and Founder of Marius Group LLC, which provides security and security compliance solutions, including for ISO 27001, 800-53 and 800-171. Elias has worked in a variety of security and/or project management roles at technology consultancies such as Booz Allen Hamilton, CGI Federal and BAE Systems, supporting customers across the federal government. Elias is also an Army Veteran, a University of Virginia and an Ohio State alum, and holds various security certifications. Elias enjoys reading, traveling, and telling eye roll-inducing dad jokes.
Read the Transcription
Please note, this transcription is automatically generated and may contain some spelling and contextual errors.
Sedale Turbovsky
All right, everybody. Thank you so much for joining us on this lovely day. You are at the OpenGrants webinar for decoding SBIR, DOD compliance. So if that’s what you came to learn about, you’re in the right place, super excited to have you all here. My name is Sedale Turbovsky. I am the CEO and co-founder of OpenGrants and we are the easy way to win grant funding.
We’re super excited to have an incredible presenter here for this fireside chat, Elias from Marius. Previous to open grants, I worked in in the kind of innovation space helping startups and other groups, secure funding through the grants ecosystem and became very enamored just with the way that grants can support innovation and the development of really cool tech.
So really excited to be here and super excited to have Elias with us today. And if you could just tell us a quick bit about your background and what you do. And then we’ll get into the bulk of the presentation today.
Elias Mourany
Yeah. I apologize if my voice comes in and out, but my name is Elias Mourany I’m the CEO and founder of Marius Group. We provide security compliance solutions to federal contractors, academia, and for-profit businesses. A little bit about myself. I’m originally from Ohio, but grew up abroad actually in the United Arab Emirates, returning to the US every summer before I moved back, I’m also an army intelligence veteran and fluent in a few languages.
I’d say subpar programmer but, average pen tester as well, but where the rubber meets the road for me and why set up Marius group is I bring in all the skillset of, I would say a grasp of skills from across the cybersecurity landscape. So for example, I’ve worked at FEMA where the security operations center. Supported other federal agencies, just doing lifecycle cyber activities. And it was born of that knowledge that we went ahead and founded Marius group initially as a part-time business and, fortunate enough to have grown it full time.
Sedale Turbovsky
Awesome. Thank you so much for that and really excited clearly a very a very intelligent person here.
I’ve had the pleasure of working a bit with Elias just on variety of kind of content and other things. And, just a wealth of information about this process, which can be a bit Opaque and difficult to navigate at times. So excited to have you here and to dive in, I see from the poll and I’m going to go ahead and end it now that most of you are not yet contract holders.
So we’ll dive into some of the things that you can expect along your pathway. And then I do see that there’s some civilian agency contract holders here in the audience as well. And no current DOD contract holders, at least that respond to the poll. We will touch over all of that.
We do have a variety of DOD contract holders. I think who registered at least, so we’ll go over the kind of breadth of things here, but I’m gonna go ahead and end this poll. And just appreciate you all participating in that so that we can tailor our comments. I realize you have a bit of a little presentation to dive into.
Before we dive into that, can you just give like the high points of, what is, what does this even mean? SBIR DOD. Compliance, what are we complying with here? High-level what should people who are looking to contract with the DOD expect from, this this hurdle that they need to crossover?
Elias Mourany
Yeah. Great question. Thanks Sedale. And I’m watching the board results as well. I see. Okay. So we have a lot of would-be grant awardees. Some civilian agency as well. First of all, it really depends on what agencies SBIR grants you’re going after or STTR.
So for example, if you were to go after DOD grants whether SBIR STTR or actual contract awards under the DFAR defense federal acquisition regulation you would probably have to comply with NIST eight, SB 801 71 today. And so we’ll talk a little bit about the overarching regulations. If you haven’t noticed on Canada to a fault and aim to under promise and over deliver.
So pull me back. If we get a little too technical or a little too policy oriented in different parts of the discussion. But that’s, so you know that to answer you today, a succinct answer would be today. Anybody who’s going after DOD business and tomorrow anybody who’s going after a civilian agency business, as they start to hang like DOD cyber security standards.
Sedale Turbovsky
Awesome. Yeah, that’s really great to know that, these civilian agencies are going to be picking up and implementing some of these DOD cyber security standards. I think that’s something, that’s an important point for sure.
Elias Mourany
We’ve seen DHS take a look at the DOD CMMC standards, but we’ll dive into that in a little bit. It’s a lot of acronyms to deal with. That’s why the Q and a session is this variant. Yes.
Sedale Turbovsky
This is a world of acronyms. I think let’s hop in. I know you had a really great kind of framework presentation that you had put together alive, and I’d love to just start going through that.
And then as we’re moving through that process, I’ll pepper you with some questions and we’ll also keep an eye on the Q and a section here. If you do have a question, please do feel free to pose that to us using the Q and a tool and yeah let’s dive into it. I know, it can seem like a lot.
Just starting it with the the overview of, and maybe explaining some of the acronyms, like what is CUI?
Elias Mourany
And like I said, there are a lot of acronyms which is why, and we’ll just give you a snake big, which is why we’re also going to go through the history of how all of this got to.
For some of the history nerds in the audience, in a nutshell, COI stands for controlled unclassified information. And for quite a while, if it’s been, if you will a gap in our, our bureaucratic, but also technical policy counter-intelligence apparatus, that’s been exploited by adversaries of the United States, right?
Starting in 2008 and which is a while back now, right? Because it’s, sometimes it takes government, some cycles to start to hone in on a problem and then push out solutions. You’ll see. So starting in 2008, we started actually focusing on this problem and what was happening, even before 2008 as well, going back to the days of the cold war we started to notice that, for example, things that we keep open, like organizational charts technical information, other nations would up classify it.
So actually a lot of one adversaries were just taking a look at our end and to this day, our our unclassified information. And so you can see here in the background, I have a screenshot from two videos by the bus. I don’t think there’s any affiliation to Buzzfeed, but it summarizes real examples, that you may have read.
And those are cited in articles. You’ll see referenced at the end of the slide show, I should note that not all of these not all of these weapons systems on the slide, we’re actually, we’re actually copied from stolen from hacked, if you will information. So for example or at least not that we know of, for example, the X 47 Bravo that Reaper of hours, you can see.
You can see the Chinese knock-off. I think it’s called shadows star shadow that over here. So this was actually also based on the RQ and 70, which was if you recall surveillance, drone that was over and it was packed and forced the land over Iran, I think in 2011. So that’s how nerdy we can get but to scale it back, so COI, what is it in my protected, right?
And this, the answer is actually more complicated than you would expect, and this is why there have been some delays, and putting out inappropriate policies. You’ll see the, so the truth is naira actually has, which is a civilian agency actually has its own definitions and you can see them on their website, which I linked to in the slideshow.
And then DOD. Also has its own definitions. I think they exceed the 22 the 22 categories of COI listed in the narrow industry. But so they’ve gone pretty broad. They have categories like groupings, like critical infrastructure, defense, financial what’s relevant for everyone here is controlled technical information.
We’ll see that on the civilian agency side also all of these have sub categories some of them like intelligence is obviously mostly on the classified side. In fact, that’s not CUI but there was a bit of overreach. And I think that’s why there were delays in rolling out the program.
So this is a sneak peek of the, again, I’m not a lawyer, of the regulatory side and history for for all the CMMC and today then is 801 71 programs. So this is the background, but we’re going to also dig into, what’s required to be today and what will be required tomorrow.
Sedale Turbovsky
So yeah. Let me just you brought up something important that I just want to baseline for everyone here is that neither, neither Elias or I are attorneys. And with any kind of contract with the government, you should have your legal counsel review these kinds of things. But this certainly just from a high level, this is, these are some great resources to get you started as you start to navigate this stuff.
And you certainly want to look for input not only from specialists, but also from a specialist like LIS, but also from your legal counsel as you navigate. Not only there’s a, there’s a technical approach to this, and then there’s a contractual kind of obligations and sort of contractual aspects of this that your attorneys can.
Elias Mourany
And we’re happy to answer questions on either side. So I’m my background. My main profession before setting up Marius was the security control assessor. And then before that I was also a security system officer. So essentially the generalist who could do the network security architecture and understand the technical, but also the policy controls who would put together a security program that would then be assessed.
But yeah, definitely not attorneys and just seconding what’s Adele said. But you’ve probably noticed this already is for those who’ve registered on sam.gov. There are a lot of acronyms and a lot of policies to understand. And again, like on this call we’ll definitely raise our hands and say, we don’t know or refer you to counsel.
If you’re asking a question that’s beyond our, it’s going to say above our hair. So in a nutshell, you can see the policies on the left and breaches, just on the right.
You can see that infamous OPM breach over here. Hopefully it’s coming in clear 2013 to 2014 with a USI S which was one of their biggest contractors. What I do, what also happened in December, 2021, that’s not on the diagram is CMC 2.0 was officially a release. That’s still undergoing review an exchange instead of 1.0, which is brought about, but this 2019 memo.
So again, this whole deal and understand this as we go through. And so they’ll tell me to zoom in or zoom out and did it for the audience, but, okay. So today, if you win a DOD SBR grant, chances are you’ll need to comply with missed SB 801 71. And so some of you may have heard the acronyms, like C SPRs.
I probably terms like SPRs score. You may have heard of terms such as the system security plan. So you’re going as we go through, understand what these all mean. CMMC is the program that’s coming into to replace this 801 71 for the DOD it’s been rocked by delays, and we’ll explain why as we go through, but I alluded to that earlier with the overreach with the definition of what CUI is and some other items, but in a nutshell, CMMC 2.0 actually goes down to three levels in maturity from the initial five, which is a little bit more complex that that, that existed with CMC 1.0 and really level two is essentially just adherent to this SP 801 71.
And it, some of the changes from CMC 1.0 to two points. Are that the government also is doesn’t require you to essentially be compliant with all controls at a time, which was a big issue with industry, right? Because in general you have to take a risk-based approach to security. So what that means is, the nature of your organization and the information at handles and the business realities of the organization shouldn’t drive whether or not controls up do or don’t apply, which is what we call tailoring controls.
So doll, there are a lot of acronyms, bureaucratic and defense, but also cyber security related. Maybe something for the audience, if you want us afterwards, we can explain what the security control is. Just just a bookmark offering if you will. So that CMC 1.0 versus 2.0 again there’s more to it that we can go through.
The sources for all these are outlined in the presentation, but this is straight from the DMV’s website, right? So this is expected to become law in the next couple of years, but in the interim, another thing that happened was some CMC pilot program was halted. And right now, you’ll know essentially if you have to comply with NIST 801 71, if there’s a specific default clause in your contract, which I believe is two 50, sorry.
Sedale Turbovsky
Oh yeah. I just wanted to throw one question out that I’m sure will be on top of mind for those who may be pursuing a contract with the DOD or civilian agency. When, like when I go to submit an SBI, our application, do I need to have sure. Are these controls in place or is this something that I’m expected to do over the course of the contract?
Like at what point do I have to start complying with this stuff?
Elias Mourany
That’s a really great question. The answer is, it depends on how long you think an SBR award will take. And what’s also written solicitation. So you may be asked that, to have this to submit an SPRs score at the time of contracts admission, right at the time you’re bidding for a grant because you’re definitely going to be expected to comply in some way, shape or form before award.
And so it necessitates the standing up of some kind of information security program and putting it together in a system security plan, which though you’re not actually submitting certain plans to the DOD today, unless they request it. And we’ll talk about media and assessments later that plan does have to exist.
And so do its precursors, right? Because ideally you want to be standing up a security program because you’re standing up a security program and not just to comply. CMMC or, or regulatory or other clauses outside of the scope of today’s webinar like HIPAA, right? Because if you’re doing something just to comply with the standard, chances are it’s not a like that the Greek tragedies from the effort that you may have studied in philosophy class, if you’re doing something just to comply with the standard, it’s actually going to be that much harder to comply with the standard. And so we’ll talk about, the points of this, of a security conscious culture, for example as we go through the presentation.
The history may not be as relevant to some, but I think it helps understand what happened today. Why things are happening the way they are today by looking at yesterday.
And and so yesterday, and this case is actually late 2020, right? So CMMC 1.0, in my opinion, was dealt a couple of, if you will be full blows and late 2020 with the American bar associations, November, 2020 letter which pretty succinctly laid out into a 20 to maybe not so succinctly, actually in 22 or 23 pages all the problems, that they saw with the CMMC program, you had to include what Saddam had just asked whether or not it had to be a complete.
At bidding versus on award over to her, something similar around her. So for example, we’ll CMC 1.0, I think I mentioned required blanket compliance with each of the security control items, depending on of course, which maturity level you had, but all the security controls for that maturity level for you would be assessed at that maturity level.
There was no chance of having a plan submitting a plan to DOD. And so we’re not going to go through all of those here, but I just wanted to leave that kind of at the fingertips. As well as the names of the contractual clauses.
Sedale Turbovsky
And I am gonna, I am gonna ask real quick. Most people will know what SBR is. And do you have already mentioned what DFR is, but can you remind us what the acronyms far and DFAR stand for?
Elias Mourany
Yeah, sure. So now I’ve done a poor job with the funny acronym. It’s not my mistake. So as far as the federal acquisition regulation framework of policies so far it applies to non-defense agencies and the D Farr stands for the defense federal acquisition regulations.
If you will sets the defense side of the house. The DOD was actually a pioneer and taking this NIST, which stands for the national Institute of science and technology are stickers of standards and technology taking the mist framework, which really was. Have a guidance, right? For how to protect control a classified information and making it law.
If you had a defense contract and we saw that happen over here for all you legal scholars who watch a lot of suits or ally McBeal back in the day of the and you can look at clauses 70 19 through oops, that should say 70 through 77 to 21. So those are 19 20, 21, the three clauses that are relevant to guardian controlled unclassified information.
And that also grants the DOD, the authority to audit you essentially. And there’s a lot I get, I can zoom in or out. And so we have a similar clause of course, for the far, I think that, but that was only added in, I believe, late 20, 21. To my knowledge there they’re few. Non DOD contracts with explicit requirements are the exception, not the rule.
Okay. So let’s actually move forward. All right. So I I can walk through a what w what one can do to secure their enterprise air for assessments, and then we’ll just take questions. So again, it is meant to be a very interactive but yeah, if you’re standing up a security program and preparing for an assess or preparing for an assessment, whether what you want to do first and foremost is foster a security conscious culture because that’ll lead you to mitigate, the number one vulnerability we see time and time again which is the human right.
So a security conscious culture would include annual security training, maybe periodic links to security news. So that’s obviously, but that’s the first step.
Sedale Turbovsky
Yeah. And I just want to throw out there for founders who are, working at, sometimes you might be taking on this task and you might be thinking like, oh, w because open grants has, had to confront this as we start to work with larger federal agencies.
And other times, as a founder, I know that it’s hard. You’re like, oh we got all this, we’re getting asked for this kind of redundancy plan for our developers or what have you. And there’s only four of us. So it can be a bit of a challenge. I just want to throw out there that this can be as basic as, I’m sure.
Like you get a phishing emails every once in a while. I can bring those up and the teams slack and let them know what a phishing email looks like. Starting to foster that culture is just taking the information you have and just sharing that. And if you don’t have, you don’t know how to foster a security conscious culture, reach out to people like Goliath who can help you navigate that.
But it’s definitely something important to instill, especially if you’re going to be working in the government space, if you’re in the private sector, this is a thing, but there’s a lot less compliance about it. And as a startup, you can usually avoid these discussions and like this kind of investment in time.
Not that you should, but you can, because you never have to end up writing one of these compliance documents early on. But yeah, I just wanted to throw that out there that this doesn’t have to be like this. Doesn’t have to see. Or be it an imposing or burdensome process, but like fostering that culture can just be reminders and providing resources to your team, just to get them on the same page.
Hey, this is what fishing looks like. This is how you become aware that like you’re undergoing some kind of social engineering attack. Like these are the red flags to look for in, bogus calls, texts.
Elias Mourany
Yeah. It sounds like Sedale wants to move into the security compliance business. That was really well put. One thing I did want to add is, I wouldn’t look at this as an exercise that’s just to satisfy a DAV requirement again, see what I referenced when I said earlier about, wanting security for security sake. And actually, or another way to look at it is complying with this regulation to then therefore comply with other regulations.
So for example if you want your private sector, small business to one day, be a private sector, publicly traded business, and I can see it, I can already sense a lot of entre entrepreneurs in the audience nodding then you’re probably going to have to comply with other security standards, like PCI, if you’re processing payment data if you’re a life sciences business, even on your path to being public, you’ll have to comply with those standards.
Socks, if you go public. While the order of the security controls will vary and that’s really a lot of the unnecessary work, they all say the same or similar things. For example, there’s security controls about password complexity, whether or not you’re doing, a private sector certification like ISO or some of these regulatories they’re complying with regulatory.
If you will mandates that, we just, look, we just mentioned Sox, PCI DOD is CMMC or HIPAA. There will be a password complexity control and so on and so forth. So I think the way to look at it is, efforts made here will translate laterally and other verticals of your business, or indeed in the future, in the same vertical is your business continues to grow.
And that’s why, again, it’s important to just get the basics, which we can talk about fostering a security conscious culture knowing normal is the next one in which we can dig into. And it really is exactly what it sounds. You have to know. What’s normal to see what’s off. And again, how you slice and dice that as Isabelle mentioned, depends on how big your organization is.
So if you’re a small mom and pop shop with three or four employees, maybe normal for you is just knowing what assets are. And really zooming in to traffic, just the attack, right? If you have a lot of, super confidential, but not, not confidential on the classified side, critical data around her.
Then obviously knowing normal starts to get a broader definition, and you’re really are looking to see how, how devices are communicating and to whom and when et cetera. So those are all the technical controls that we can dive into. But again, I’m referring to myself in the third person because why not?
I’ll use sinusitis as an excuse, but if you will, Eliza’s handy-dandy wisdom for the day patch regularly, foster security, conscious culture, no normal track security compliance project metrics, just so you can keep improving standardized processes and tools, it’s that much easier to, if you’ll apply everything we’ve talked about, like patching and knowing what’s normal.
If you have one or two or most, maybe three different types of OSS in your environment, then that’s operating system and then empathize with your system owners. Those are terms for when your org gets a little bit bigger. But that just means the business user the business owner of a system. So understand that they’re trying to make your company or your agency or your not-for-profit great.
And so you want to make sure your program isn’t burdensome and onerous to them. And again, it really risk-based right, because if you don’t do those things, you’ll end up with the last the last bullet, which can be applied broadly to be aware of, but really here, I’m referring to specifically shadow it.
Which is a term you can look up afterwards, but that’s the bane of many, a CSO or a chief information security officers exist. In the modern world self or would they seem, sorry?
Sedale Turbovsky
Yeah, I’ll just throw in there, this process in terms of, standing this up for for any given contract, I really do want to double down on, on what Ally’s mentioned earlier, which is that this builds, doing this once w immediately creates a ton of replicable content and policy that you can use as you scale into other opportunities.
So if your first target is DOD that’s great, know, if your first target ends up being AWS, or if your first target ends up being any kind of like enterprise company, that’s operating at that scale, they’re going to require a lot of this, and they’re going to want to do diligence on your system and how you’re doing everything from handling PII to, confidential information and all of that, All of that process that you’re going to put in place for one translates really well.
And I can attest to the fact that, are there our first go at, this was a bit painful with open grants, for example, just to throw us out there as an example, like the first time we had to do this stuff and put this kind of compliance work in place, it was it was a bit of a slog and we didn’t have a lot of fun, but as, as soon as we got our next enterprise customer oh yeah, this is great.
And as you think about your, your engagement and your path forward with DOD or with the civilian agency, and you think about, scaling, a dual use solution, for example, where you’re going to be addressing not only applications within the DOD, but applications in enterprise deployments around the world, maybe You doing this once and getting it right.
And then continuing to build an iterate and evolve. Those controls over time is going to be just a massively useful tool in your bag as a founder. So I just want to throw that out there and, even if you’re not a founder, if you’re on a team that’s tackling this space bringing this mentality of having a security kind of first and security conscious culture at a, as a base level is just something that is going to give your team a handout on other groups who might end up just scrambling to try to get something together.
So it’s, it really is an important thing to hone in on early, if this is the space that you’re going after, which is, DOD where there’s a lot of compliance and policy things in place that you’re going to need to navigate.
And just to piggyback off of what Sedale said, this also becomes bragging rights. With would be teaming partners if you’re actually trying to win business outside of SPR and STTR, which I think was the other acronym you were asking about. So those are essentially SPR awards, but in partnership with a university or a larger business. So if you’re moving to actual contract awards, proper you’re, we’re starting to see more and more vendors focused on supply chain security to include the security of their services, supply chain, push cyber security questionnaires down to their vendors.
And this isn’t just something that happens in the government contracting space, right? So it could be a publicly traded consumer apps company. And you’re actually asking any vendor, pardon me, nasty illness. You’re asking any vendor about the state of their cybersecurity. And, cause ultimately it affects your, if your will, your vulnerability and your attack surface but also your cybersecurity insurance liabilities. So that, I think that’s also a, a business reason. This is happening. Cybersecurity insurance companies are only covering only covering businesses if they insure their suppliers for a short time.
So yeah, there’s definitely, we can get really granular with any of these. I did just want to piggyback to shadow it and explain what I meant before, the cough slash Lee’s attack. That shadow, it is something I’ve seen it, in pockets of the government before, unfortunately, but candidly understandably, and in the private sector. And what happens is if a program, gets too focused on compliance at detriment to the actual business objectives. And this usually happens if they’re avoiding. A come to Jesus moment, if you will, for lack of a better term or an honest painterly candid conversation between business owners and the security team, right?
It’s so you might avoid, this might happen if someone doesn’t want to push up the bad news that there’ll be, have legacy legacy it, or like a see information technology assets, right? So think windows XP workstations, or or if somebody’s on the, on a new round of technology, somebody realizes that the cost to get to a certain baseline a security compliance baseline to include technical controls is too onerous and burdensome.
They might start to buy assets. Not through authorized means. And so that you, I think if you get it shadow, it exists in a larger business and, typically be a larger business, then something’s definitely gone wrong with the security program and maybe it’s air it’s focused too much on compliance for compliance’s sake.
So that’s certainly something to pay attention to. Yeah.
And just to zoom out a little bit, so shadow, it just refers to and correct me if I’m wrong, but a shadow. It refers to all of a sudden you’ve required everyone to use VPNs on their company laptops. So they started, but it makes everything run super slow.
And so they start using their personal laptop to run operations and,
oh, D that’s unauthorized or or purchasing a laptop, an official work laptop that isn’t registered. We’re circumventing some security policies are patching policy. Yeah, it happens more often than we’d like to admit.
I’m afraid. I took her to publicly traded com.
Sedale Turbovsky
Yeah. And just to throw something out there, because this is a problem, especially for early stage companies where they having a lot of bring your own device. People are just showing up with whatever. It’s, there’s a, there’s some hurdles to tackle there.
And so I just want to throw that out there for, for founders, there’s some great tools to help you control you can use different, like at a very basic level when you don’t need deep controls, you can use even just manage, manage, deployed browser policies that you can remotely clear information off of other devices, things like that.
So there’s a lot of tools out there. But I definitely want to want to dive into questions here for sure. And I’m going to go ahead and switch swap back over to this screen, the last, if you want to stop sharing there. But one of the questions we got here was SBI are VOD proposals to not include any reference to your patents.
What happens when some other funded company SBR DOD funding company gets grants by infringing on your intellectual property? I am not I th I think this is one, maybe two best address by the attorney. For sure. So apologies that we can’t answer this fully, but I will say and this is a good point to bring it up that you are, when you’re submitting a grant proposal generally even with the DOD, you are you’re submitting information to the government and the government has a variety of kind of open data and information things that they have to comply with.
And so you want to be careful about labeling things that are confidential as confidential. You want to be careful about all of that because it can wind up the end of a foyer request or other requests. And you do want to be conscious of what you’re sharing with the government and how you’re communicating that to that the agency. I’m going to go ahead and pop back over here…
Elias Mourany
and again, not a lawyer, but I also heard if you submit the same idea, if you will, the same research proposal to different agencies and end up winning for the same for the same research proposal at different agencies, you can only go ahead and pursue the same idea once across the landscape of the federal government.
So make sure you’re not winning multiple awards for the same phase. One idea.
Sedale Turbovsky
Yes, a hundred percent. And that can actually land you in quite a bit of trouble. In fact you can, if you decide to go ahead and accept those awards for the same idea for multiple agencies you can get in quite a bit of quite a bit of trouble there.
I wanted to throw I wanted to throw some additional questions your way because as a. So as a founder who has navigated some of this stuff, I, I always felt it was like pretty imposing. And we’d get hit with this, like big, I remember our first like NIST questionnaire that was like 500 questions.
Like the first time we got one of those security questionnaires, it was so much, it was like, it was just this massive monumental document. Do you have any thoughts on frameworks or tools? And I know you have some great resources linked there, but I wondered if you could talk high level about any good frameworks or tools that companies looking at the contracting space or in process to get a contract can use to start to navigate this and set good policies in place.
They need like source things that they can consult.
Elias Mourany
Sure. So open source yes, you have a lot of the federal government’s I guess half the battle is knowing where to look. And so a lot of those things are embedded in the presentation, but you could go to DOD directly. You could actually [email protected] has a three part cybersecurity course for how to set up a cybersecurity program for one’s own business.
So it’ll, I haven’t taken the course, but just looking at the topics, it looks like it actually covers at a high level with some granularity here and there, how to set up a system security plan, which is one of the requirements, right? And as you start to look at the system security plan and what goes in it, which is, your checklist controls, you, hopefully we, the participants will start to understand what it is the government’s asking and you’ll start the river.
And if you start. Engineer backwards from there, what you need to put in place in your own organizations. So I, yeah but there’s litany. So you could also look at academic institutions, for example, that have complied with 801 71. A lot of them have posted their methodology to their own websites.
Whether it’s, I don’t know, university of Virginia or Virginia tech George Washington university, just throwing out names of universities, Georgetown for those in the DC area. But what other ones that come to mind? Georgia tech? I think it’s the university of Connecticut has a really good, like extensive repository of 800, 1 71 documents, even YouTube videos, just showing how they piecemealed their program, its existence.
So yeah, there’s a lot of material out there. I think the trick will be to avoid the noise. You can also reach out to the experts if you need to, and not just tooting my own horn, but for example, the CMS. AB which is a not-for-profit stood up by DOD has a marketplace where you can look at all CMC registered assessors, all COC, registered practitioners which I’m one, and those are people who understand the specific space.
So a long-winded answer there, a lot of open source materials out just really quick. Sorry, I interrupted. I’ll just finish that thought. There’s also paid tools. So commercial off the shelf tools. And so what these do is they ask you a bunch of questions. So don’t mention he, he was once on the receiving end of 500 questions.
So you can use a different vendors that have essentially stood up tools. The biggest I could, like I was probably a company you guys have heard of called. And and they’re asking you all these questions without you having to worry about, going to this website to pull the 801 71 or 1 72 on your own, right.
Or, looking at CMC. And so based on your answers that, you type up your answers and what have you, and then they generate documentation for you. And happy to recommend vendors. If you’re interested.
Sedale Turbovsky
Awesome. Yeah, that’s great. And I think along those lines, I just want to throw out that also, we’ve talked about a lot about talk about this.
We’ve talked about CMC. We’ve talked, we’ve mentioned a lot of different things and I want to do a little level setting in. You don’t necessarily you don’t necessarily need to go out and get like FedRAMP done, right? Unless to someone has asked you for it and offered you a contract.
So there’s there’s th the process for this is, read through those RFS, read through the RFP, start to understand what that contract, what your contractual obligations are, and then execute on this. And some of it, you may depending on the process, you may need to have some of it done ahead of time or in place.
But it’s not it’s not like a deal breaker or something you need to have done before you like, respond to the RFI. And I’ll just give an example that we have we have a contract partner on, on Starz three that we just worked with, and I won’t mention to the other details. In the, in one of the beds we just put in, it’s Hey, how long does it take you to get to FedRAMP?
And so th these are the kinds of questions. The agencies themselves are aware that some of the more burdensome security compliance, FedRAMP being, I think arguably the most burdensome some of these compliance things take time and energy and investment up to a year in fact.
And so they’re not they’re not unaware of the barrier and they are trying to work with you and intelligent way. So not only should you be reading these things carefully, but as Ally’s mentioned, reach out, talk to them, don’t be, it, don’t be afraid to have a conversation about the realities of where you are and where you need to be in, and they will help you navigate this.
Because if you just try to go it alone, chances are you’re either. Undo it, or are you going to overdo it and spend a bunch of money on something that you didn’t necessarily need to do? Just be aware of that as you’re approaching this space that, there’s specific applications for different controls, specific requirements, and there’s not a, unfortunately not a whole lot of standardization across the universe of opportunities that are out there.
Elias Mourany
And just to piggyback off of what’s the doll set again, like with your FedRAMP example, there’s only a finite pre-approved list of FedRAMP assessors. So often, even if you have the budget in terms of finances and personnel things, aren’t always going to go according to your pace, depending on what you’re trying to do.
So that’s something worth considering, but that said there are other resources out there. So I did want to make a bit a mental note earlier. You were talking about AWS as you were sitting up open Krantz. And so that’s actually a really great point. So obviously. A big way to comply with one of the owners technical requirements of standing up a modern, sick, relatively secure enterprise.
And and again, there are some challenges, if there are any security personnel in the audience, I can sense them laughing, right? Because with every layer of abstraction you’re mitigating some vulnerabilities while opening up others. So we can explain that depending on how interested or disinterested audience members are now, for example, if the Okta breach right.
Correct SSO, but we’ll show them that for a second. But if you were to leverage the cloud is the point I was making like, Google cloud or AWS or Microsoft Asher, you can actually, when it comes to writing your security plan you can head to their websites and look at depending on what percentage of your enterprises they are and where your critical assets are.
You can look at how their own write-ups for how they satisfy. A litany of controls and save a lot of money on consultants. You had to be very candid. So I think that’s probably the, that’s worth repeating. So once again, if you’re leveraging the cloud head to your vendor’s website, reach out to your vendor and asked them to help you explain how you satisfy 801 71 or CMMC.
And honestly the commercial certifications they’ll have pages for ISO 27,001. We’ll have pages for, factor regulatory, again for hip-hop for PCI, for Sox, because they’ve done that legwork. So once again, we talked about how, password complexity maybe over here for this one standard and over there with a different alphanumeric code for a different standard.
So what Microsoft and Amazon and Google have done is they’ve basically prepare them for you also say here’s how to comply with password controls and then map that out to the different standards and you can copy and paste that text. Into your SSP. So that’s hopefully that helps. And, but that’s also something to architect towards.
If, if you’re sitting there deciding where your enterprise should or should you go and what kind of cloud architecture to have, or.
Sedale Turbovsky
Yes, a hundred percent. And depending on the service provider that you’re working with, if you are leveraging that cloud, there, there may even be like an account person that can help you leverage additional controls.
They may also have services like AWS actually has something called gov cloud. And I’m sure that Microsoft and others have some similar offering where, it’s already like the architecture and the policy bits are already optimized for those environments. One thing I wanted to just bring up or ask your thoughts on there are there are obviously costs associated with some of this compliance work.
Do you, pay for some of this engagement, like a security consultant through your SBIR grants?
Elias Mourany
That’s actually a great question. I think you would have to put it in there and see if it gets to. But that’s something I would ask the contracting office. That’s not something I haven’t experienced with.
Sedale Turbovsky
Yeah. And then I also, we have about 10 minutes left here, so I definitely want to encourage, if anyone in the audience does have any additional questions, please do feel free to Q and a. I know this was a fairly technical and very specific discussion. But I really do think.
For me, I’ve found frequently that this is one of those things where you can really exploit the edges of the playing board in terms of having a good understanding of this space and having a good understanding of what you’re bringing to market, especially if you’re in the business right now.
And I assume you are, since you’re on this webinar, you’re in the business of trying to sell something to the DOD or the government itself. You’re going to need a little bit of a different set of tricks than the founders who are building a dating app. And not that one is better than the other.
They’re just very different spaces. And so definitely, take the time. There’s some good resources in the. In the slide that Ally’s prepared, I may send over some other stuff as well. There’s some great, there’s some great books and frameworks to, to that you can avail yourself of to just, I think, the thing I want to double down on personally is creating that security conscious culture within your organization.
The amount of times that I’ve sat on sat on an Amtrak, train in flight with Wireshark and looked at things I probably shouldn’t have been looking at, there’s a lot of, there’s a big threat, like a space out there and you don’t really realize how vulnerable your organization is.
And you start thinking about. That whole space. And just for those of you who might not know, like Wireshark is a packet sniffing and very interesting tool that you can use to capture information as it moves over wifi. And so you can do all kinds of things to really help your team understand like the basics of like, why you should use a VPN when you’re out and about if you’re doing especially sensitive work what kind of controls your devices should have in place.
So there’s a lot of things that you can do that don’t require an expensive consultant, but just really more require you thinking through a framework and having an idea of. What are, what are your concerns and what are the things you want to like start to help your team understand?
I really like our CTO to open grants every once in a while. He does exactly what I mentioned earlier. He’ll take a phishing email or some other bit of creepy shenanigans that he’s seen. And he’ll just drop it into slack and be like, Hey team, this is something to look out for. Don’t like, don’t fall prey to this trap for X, Y, and Z reasons.
So Elias, I don’t know if you have any thoughts on that, but you know what, like zooming all the way back, like big, bad, big red flags, or it, founders are going to do three things walking away from today’s webinar. What, if you’re going after DOD and want to be a contract holder, what do you say?
Like the first, like immediate steps anyone should take in terms of getting ready in like a security and compliance standpoint?
Elias Mourany
Yes, that’s a great question. Again, I refer to those five or six steps I laid out as far as prioritizing them. Yeah. Security conscious culture is definitely, probably number one, knowing normal, especially, your assets at the very minimum, you have to know the assets in your network is definitely, I would say a top three critical component. It’s also requirement for a lot of security standards beyond the DOD space.
Sedale Turbovsky
And can we define that a bit more? So when you talk about assets are you talking about like servers, devices? What does that mean?
Elias Mourany
Yeah. And everything in between. Anywhere where data is stored. Or it could be stored, right?
So you just want to understand what, what exists. But yeah, to truly master knowing normal, I would move beyond how sense to also a snapshot of a network, but that will come with greater levels of maturity. Again, it comes down to your budget and your goals and what contract, what you’re hoping to get out of it.
And those are all business decisions at the end of the day. And, or what you’re trying to protect, in the interim as well. So this a point of view of , for example, about awareness training you could start with an example, efficient emails once in awhile, or you could do phishing tests.
You’ll find that it’s difficult to scale that manually, which is why, if you have the budget to save some time, eventually you may want to use a service by a vendor like no before. And they’ll actually, I think they have something called the go fish, me and they’ll just generate fishing emails and push them to.
Yeah, pre-authorize list, if you will that you’ve provided them of employees. So yeah, th there’s a lot to do. Again, it comes down to what you’re trying to get out of a security program or out of your business.
Yeah. One of the last points I wanted to bring up and to get your thoughts on one of my, so I spent some time before being a startup founder, I w I worked as a management consultant and did some did a variety of kind of like cybersecurity consulting work very random, but like one of my favorite books out of like, all of that was the art of human hacking.
And it’s just this kind of a new may Reddit, maybe not, but it’s this deep dive on social engineering. And I wanted to hear your thoughts on just that I don’t think that, that’s not really covered by some of these frameworks, at least not well, in my opinion, but I’d love to hear your thoughts on that and how that plays into kind of creating that culture of like security awareness and what, like what the sort of like the human element is here, that founders and people who are in this space should consider.
Sure. Yeah. So it it actually is a little bit in different ways. So the programs. They’ll spell out requirements for periodic training at a very minimum annual training. And there’s a social engineering module. I think two to a lot of the DOD training also for businesses with, depending on what controls apply, which are based, which are driven by the sensitivity of the information to this holds.
And this is across different standards, not just CMC slashing, a hundred one seventy one today. Even outside a lot of regulations will mandate third-party penetration tests, right? Including, for example, if you’re at a third level in the future, when pseudo CG porno gets rolled out, third level of maturity would require compliance with 800, 801 72 versus 1 71, which has more measures like penetration tests.
But I digress. That’s the regulatory portion to your statement answer to your question about whether or not regulation satisfying as far as how to learn more about social engineer. If people are curious about security and moving beyond the board regulation stuff we’ve talked about, which may be boring to some you could start by listening to that diaries as a podcast.
I really love. I would start even at the early episodes, even though they go back a few years. It’s just phenomenal. I just Adele’s point of view. There’s a litany of books you can read too, very, some are more or less technical than others, but some that are probably accessible are I think the books that Kevin Mitnick intrusion so that’s one yes, the other intrusion, there’s all kinds of other books also, but yeah, depending on how interested in security you are, but I’d say start with darknet diaries. That’s a great podcast.
It’s an awesome podcast. This has been great. I really appreciate you taking the time. Definitely something that I think is a critical tool for founders going after DOD. That is not talked about enough. There’s a lot of fanfare deservedly, so around just like the technical prowess but the cybersecurity elements of this are also massive.
And one of the reasons that I like I’m very bullish on this for smaller teams is like the DOD has in the past, defaulted to wanting to, incubate ideas, but then pass them off to someone someone like Lockheed because of not only like the contracting capabilities and scaling capabilities, but also because of the compliance frameworks that are there.
And so learning how to work within these frameworks and leverage them quickly as a competitive advantage, it’s going to give, give you a huge leg up as you look through the space and go after contracts here. So that’s my parting thoughts on, on that subject. Last, I don’t know if you have any sort of like final invites you want to make to, to the to the audience.
Elias Mourany
Yeah, definitely reach out to us that Marius group that you asked, if you have any questions or to Sedale. Yeah. Thanks for a great webinar. Forgive me for getting over to cough and sneeze. At times I did have a parting thought, about the future of the industry and this applies beyond government contractors, but I think what we’re seeing is clearly every success of administration across, left, political lines is increasingly aware of, of the importance of having a strong cybersecurity posture that includes reporting cybersecurity breaches. So I think what was put out quite recently was actual reporting minimum timelines for recipients of federal contract awards. And that may even apply to publicly traded companies.
I’ll have to take a look with penalties. Before this typically contractors that failed to report and breaches in a timely manner what would be subject to the false claims act, but those kinds of claims have to, are often brought by insiders and the business. And there’s a lot of stigma associated with whistleblowers whistleblowing.
So you have a lot of people who may have seen an employer do something wrong or are to bring it to the government’s attention. But now I think that’s changing. Again, that’s something for your legal scholars stuff to explain better. But so yeah, there’s a lot of regulation.
And then at the state level too, just to finish the thought, but if you do business in Virginia, California helping outside here, there’s a third state that’s followed Virginia and California.
Sedale Turbovsky
Florida. Maybe.
Elias Mourany
they have to have cybersecurity standards, but for example, the California data protection act, Virginia has one, Florida might have one and they’re basically Americas at the state levels take on GDPR.
Yeah, so this was very federal. But it’s not to say you shouldn’t pay attention to state and local regulations. And obviously if you’re an international business or, knock on wood, hope to be an international business. One day you’ll want to pay attention to stringent international cybersecurity regulations.
Also, obviously GDPR out of the EU is a big one. Think South Korea and Japan, and pretty robust data protection laws too.
Sedale Turbovsky
Awesome. Alrighty. Thank you so much for your time today, Elias. Thank you all for tuning in. This will be available afterwards, as I mentioned we’ll upload it to our YouTube channel.
We’ll email out, not only the information, but the resources and if we didn’t get to your questions we’ll follow up via email, but thank you so much for your participation. And we’ll see at the next one.
