Podcast - The State of Contractor Cybersecurity with Katie Arrington
In this episode of "Regulatory Phishing," former U.S. Department of Defense Chief Information Security Officer (CISO) Katie Arrington joins Government Contracts and Cybersecurity attorney Eric Crusius to discuss the state of cybersecurity within the defense industrial base, including the rollout of the Cybersecurity Maturity Model Certification (CMMC). The discussion is wide-ranging and offers invaluable insights into what is to come in the months and years ahead.
Eric Crusius: Hi, this is Eric Crusius. We're here with the latest edition of Regulatory Phishing. It's really my honor and pleasure to introduce to the podcast Katie Arrington. Hey, Katie.
Katie Arrington: Hey, Eric, How are you doing? I'm a big fan. I'm a listener of your podcast. So go you.
Eric Crusius: Longtime listener, first time caller. Right?
Katie Arrington: Bob and Tom, everybody (inaudible) Mr. Obvious.
Eric Crusius: Maybe for the one person listening to this podcast who doesn't know who you are, we should do an introduction and go with that. I wonder if you could just kind of talk to your bio a little because it's a really a fascinating bio. You were previously with DOD, I say essentially in charge of the CMMC program, but I'd like to hear what happened before that, of course, too.
Katie Arrington: So. Hi, I'm Katie Arrington. I am the former CISO for acquisition and sustainment at the Department of Defense. Prior to that, I was a state legislator in South Carolina. I ran for Congress. I was a vice president of multiple software, vice presidents, directors of multiple cyber development security companies for many, many years, a big proponent for cybersecurity. Actually, that's why I ran for office, was that I saw that the cybersecurity laws and rules weren't really effective for small business, and I owned a small business and I wanted to be able to effect change. And I, I did my best. My highest professional accolade is that I was the original starter of the CMMC. Good, bad or indifferent.
Eric Crusius: I'll say good. I'll say good for a lot of reasons. What are you up to these days besides being on this podcast?
Katie Arrington: So I have been working for the past year on creating a supply chain risk mitigation ecosystem that includes cybersecurity, that includes the CMMC. As these new rules come out, how to make it more effective, less expensive and more impactful on risk reduction for small and medium-sized businesses across the United States. So I have been a very busy girl doing that and getting ready to launch this ecosystem on September 20. I'm very excited. So I've been working with several of our large primes in the defense industry and illuminating their supply chains and then taking those risk scores and putting them into something called the Connects Marketplace, which the National Association of Manufacturers funded this ecosystem to be created about 10 years ago, which when I founded it was basically Match.com for manufacturers. I need somebody who can do X, Y and Z, and they have over 150,000 manufacturers in this database. And I was like, well, this is a great opportunity where we can empower the small and medium-sized businesses to see their risk in the way that the prime sees it, and then work with the MEPs in each state to reduce their risk and to help bridge the gap for grants to help them if it's they need help in automation or workforce or, you know, investment. So I've worked for a year to create an ecosystem that virtually anybody in the country can log in. They can request to see what they look like as a risk score, and then they have the resources at their back door to help them mitigate and then to write their mitigation responses on their risk scores and have them in a repository so the primes can see that they're actively working to reduce risk and make them more desirable to partner with. Because I am for one team, one fight, and that's, that's still the case. So I ran for Congress. I was not successful. But that doesn't mean that I don't care and the passion hasn't stopped in any regard. So I am a quiet supporter of our industrial base and a big fan of everybody that works in it every day. How many times have you heard me say, you know, if not for you, where would the warfighter be? And that's the truth, because the DOD does nothing but create problems, bureaucracy and proposals. So, and I can say that from being from DOD.
Eric Crusius: And it's really interesting, this venture that you're involved in now, because it dovetails so well with the new DFARS clause 252.204-7024.
Katie Arrington: Actually created it, that, for that cause. As people are becoming aware, one of the things people, they take me for, the mother of the CMMC, but they also don't understand that I was also over supply chain. So in my job as CISO I had all the weapons systems, all the critical infrastructure and the DIB under my purview. But when the pandemic came, I was tasked to lead the COVID PPE Supply Chain Task Force for acceleration. So I was the person in charge of coalescing control tower, getting all of the acquisition strategies right, and actually using supply chain illumination tools to verify whether companies that were trying to sell the U.S. government or hospitals or states PPE, that it wasn't counterfeit, that there wasn't (inaudible). So that was, you know, in the time of from March to basically November of 2021, that was my job. Or was it 2020 or 2021? 2021. Yeah. And worked really hard. So I, I have a great love for supply chain, and they knew DPR is about supply chain and it includes cyber, which is always been part of the supply chain. In fact, it's the framework, it's the basis of all supply chain.
Eric Crusius: And those are just crazy times. I represented a few clients that were supplying PPE to the federal government. There are a lot of late nights just from my perspective, so I can't imagine.
Katie Arrington: Oh, FEMA, HHS. I can't say enough about the people that gave themselves to that, and I'll give a shoutout to a couple of them. Bob Farmer is probably one of the unsung heroes. And Admiral (inaudible) and Ellen Lord, my boss, and Kevin Fahey and Brent Ingraham, some names and some people that you don't know as American heroes and my God, they were, they really did, they push the limits of what we could do within the framework of the law that we had at the time, and it was amazing. It's you know, the CMMC is a high point. But then I look at my career three and a half years, I was in the Pentagon and the things that we were able to do, I mean we created CMMC, we launched the Trusted Capital program, we actually started the first SCRM taxonomy. There was a SCRM task force sort of, but we really started coming together and defining what were the categories of risk. And now that's published out, right? That's out now, and that's huge. I take the time in the DOD is the most impactful time I've had in my life, and I hope this next segue is, you know, there are people that do this for a living and I do it because I care and I love my country. But our democracy, our republic is such an amazing, crazy at times. But my gosh, it's the only place in the world where we're able to be free.
Eric Crusius: We're all just trying to carry it forward.
Katie Arrington: Yes, sir.
Eric Crusius: Well, I mean, most people know you best for CMMC, so let me ask you a few questions about that. One thing that struck me as I saw a LinkedIn post you had the other day where you talked about, you know, CMMC has some importance, of course, but what really contractors should be aware of is that it's just a verification and I've said this too, it's just a verification of things that contractors already have to do.
Katie Arrington: Amen, it was just an audit. It was an audit just like ISO. If you're a manufacturer and you, you know, you get your ISO 9000 or — remember when we had the CMMI was the big thing in software development and you had to get your CMMI and what level it was. It was an audit that you had the processes, you had the policy and you had the culture to develop software in a safe, effective manner. That's all it was. And the level of maturity that you had in developing software was the CMA. I took those same — and I was one of those people that went and took two companies from Level One to Level Four on CMMI. I was an owner of a small business. I went from DiCAP to RMF, so I was a unique unicorn in the Pentagon and I came in as a wrecking ball. They wanted me to be a wrecking ball because I had been through the trenches and I'd been through all the problems. And, you know, the CMMC was to help companies get good about cyber, not because of national secrets, but because of national security on a whole. And I'm so proud, and I will say this of the team at the CMMC PMO, I will forever praise Stacy Bastianich, (Inaudible), John Choy is not a part of it. But Dawn, I mean that team of people, I cannot say enough about positive every day because the bureaucracy is hard and ugly within the building. Everybody wants to say so in it. Everybody thinks that their way of doing it is the right way. And those, you know, I've left the building and they have continued through crazy iterations to stay focused. And then the other part is the ecosystem around it. You know, seeing is believing. And, you know, in 2019, when I took the stage in March of 2019, I went to the ESF, which is a closed environment and is the enduring security force and it's all of the agencies come together, and I will never forget I went on stage and this is Katie Arrington HQE from the DOD. I wasn't the CISO at the time and I said, hey, I'm going to make everybody get audited to the nest, and they laughed me off the stage. Well, it's, you know, the things that happened, you know, Eric, there are things that bother me about where we are with the CMMC today. I think sadly bureaucrats politics got involved where they never should have been. And the original CMMC — I wish we could go back. I never wanted it to be a (inaudible). I wanted it to be in sections LNM. So the program managers, the people in charge, could have the creativity to tailor the security need to the program because every program is different.
Eric Crusius: Right.
Katie Arrington: And they need the freedom to develop. So I was on the team that created the Adaptive Acquisition Framework. I was on the Federal Acquisition Security Council. I was deep in the heart of all of this. And, you know, industry pushed to say get into (inaudible) because if you leave, things will change. Well kids, I left and things changed. It just got more complicated. And, you know, now we're at the crux that the, you know, the (inaudible) the model has changed from a maturity model to a compliance model. I think that, you know, the powers that be — now, I'll say it on this, you know, I blame Jesse Salazar point blank. He was my new boss. He was a political appointee, came in, he knew nothing about cybersecurity. I reported to him. He was afraid of it. And instead of doing the right thing, he dragged his feet and, you know, stop. And let's do a Tiger Team assessment. We've been doing Tiger Teams, we had industry come in and we had done what, four rounds of public comment, and industry helped create the model itself. I mean, it wasn't the Department of Defense and it wasn't missed. It was everybody. The beauty of that time frame, which is really sad that we've lost it, I think from my perspective — and I know the PMO tried really hard to engage — but it was industry leading it because it's really great to be educated and work in a bureaucratic position for years and years. But unless you're actually on the ground and done it, it's really difficult to write a regulation or a standard if you don't understand how it's actually implemented and deployed. And I learned so much from my CISOs that I worked with and the hundreds of volunteers on the scene — and I mean hundreds of volunteers from industry within the CMMC in that first year and a half. I credit Mike Gordon, I credit Mike Harris, Jacey Dobson and Andy Isaac, Steve Shirley. There were so many people that opened my eyes to many complex setups, that understanding that this rule doesn't really apply. And one of the things that why I wanted it to be in sections and in a contract is because we can see things happening. If you follow me on LinkedIn, I'm always posting stuff, and I don't mean to be snarky, but I'm trying to point out the obvious reference to the Bob and Tom show, Mr. Obvious. We've created a model, right, where password managers are a part of it, but we now know openly with ChatGPT that we can openly break passwords. So why is that a requirement now? What validation does that prove, right? And as we go through and we put these standards out, and because we're transparent, because we are a country that believes in transparency in government, we do silly things. So we put out the 171. Do you think that China, Russia, Iran, our adversaries don't look at the 171 and they for every one U.S. cyber warrior, they have 1,000. That they're not trying to find ways to poke holes in it. That's why the original CMMC was so beautiful is that the program manager could determine what was needed and necessary within the confines of the 171. And at that time the 172 Bravo, which turned into — I'm sorry, the 171 Bravo, which turned into 172 — it was, it was the art of the possible. But here we are today. OMB has the rule, and hopefully we get it through and it will go through. I don't doubt that. But it's no longer a majority model. It's just a compliance and audit to ensure that you're doing what is required by law already to be doing if you receive or transmit CUI.
Eric Crusius: It's funny, you said something interesting about passwords a couple of minutes ago, and with the rise of quantum computing and the ability of computers to process faster, that's going to make passwords even more useless in the future.
Katie Arrington: Well, I think passwords and multifactor authentication, I mean, how long is it going to be before post quantum computing can break like a token?
Eric Crusius: I'd say, in the next five years or so.
Katie Arrington: Easy. Yeah. So what the, what we do wrong in our government in this regard is that we create standards, which are great, right? But because the way we are set up to go through this process, by the time we actually implement, it's OBE it's like, you know, the whole thing that they're doing right now about, you know, the SEC is saying that you must call and notify of a breach within 72 hours. Well, why does that matter? I'd much rather invest my tax dollars in preventing the breach from ever happening than having a desk report of somebody filing data who may read it or not read it ever, right? Who is taking that right? We have network scanning. We have the capability to look at this right now. I mean, NSA people make no bones about it. They're watching. So why are we wasting time and energy on things like that when we have good policies? I mean, we have the best cyber policies out there. We just need to enforce them and create ways that companies can if they're not sufficient, how do we get them sufficient? And they say, you know, one of the things I learned when I was leaving the Pentagon is, you know, we want to get free chicken. We want to make sure there's free chicken. They got to have chicken. I remember being on a call with the Deputy Secretary Hicks and her talking about what are we giving to small businesses? And I live you know, I'm a very religious woman. And I you know, the Bible says it really clearly in my view. You know, if you teach a man to fish, he will never go hungry. Let's teach companies the cyber policies, the cyber processes, the, the culture, and they will never go without having the capability to defend themselves, but giving them a tool, if that, you know, the government gives you a tool, it's only as good as long as the government's funding that tool and that's only a guarantee of one year. It's not like it's forever. And I just think that they're in a tailspin right now because instead of helping the small businesses get the right policies and procedures and culture, they're more concerned about giving them free giveaways to make it easier. And that's not the right answer, because budgets ebb and flow. And I personally applaud Dr. Hicks. I think that she wrote The Gray Zone, which is if you have not read The Gray Zone, you’re living it right now. And the challenge is people doing the right thing isn’t easy. If it was, the world would be a different place. But getting people set up to do the right thing and the next right thing and resources to help them get there versus giving it to them. And that’s where I think they've, you know, they're so hung up on the cost that they forgot that the cost of implementation of the nest was, that's OBE, that was supposed to be in 2015, building it into your rates and being compliant. The reason why we created the CMMC is because industry wasn't compliant. And they still aren't compliant. And thank goodness the False Claims Act is really starting to take hold. I mean, I think Booz Allen with the $377 million fine should be a wakeup call. The Aerojet won in (inaudible). That was, what, 2020 the Aerojet one came through. People I mean, sadly, people actually be worried about me. I know your spurs scores. Remember, I was the person that was in the inside. I know what you're doing. We just need to change the mentality. Instead of waiting for the government to approve the CMMC through the rule change, get good now because you can go get (inaudible) verification. You can get an audit from an approved C3PAO to come and validate your spur scores. And it shows that you're a good vendor, and if you're lacking, well, you, honest to God, get right about it and you start doing the right things. Because, you know, there's a funny story that I'll tell in December 2019, Christmas time, Christmas Eve. As a matter of fact, my boss, Ms. Lord, had gotten a call from Secretary Manoogian about a company within the, the supply chain that had ransomware and it was very critical company to a critical capability. And somehow or another they had gotten his phone number and he had called Ms. Lord and that the question came out, you know, what do we do? And Ms. Lord, to her credit, she's no fluff. You know, we don't pay terrorists. That's part of our deal. Ransomware. If you get hit with ransomware, the government's not bailing you out.
Eric Crusius: Right.
Katie Arrington: That kind of leadership is amazing, right? Because it just makes you realize, oh, yeah, I better get right because no one's here to help me. I signed up. I started a business. I want to be in this business and I shouldn't look to anybody else. I mean, if you own a restaurant, Eric, today, and the DHEC in South Carolina is — DHEC Department of Health and Environmental Controls — comes and says at a restaurant, we said that the temperature needed to be 180 degrees and you had to have washing stations for hands for employees every 20 feet and we're now saying it's every 10 feet, is there any entity that's going to start giving money to restaurants to make that change?
Eric Crusius: To pay for the installation of additional sinks? No.
Katie Arrington: No. Why do we look at the DOD as like, there should be a handout if you don't want to do work and be compliant to the DOD. Good luck. God bless and move along. And I say that because — tell me what sector that is as large as the defense sector, which is, you know, $899 billion a year, another sector that doesn't have the same type of requirements, because I dare anyone to tell me that a doctor's office, a pharmacy, a hospital system has any less stringent rules and regulations, and there's nobody giving free handouts there.
Eric Crusius: I was going to say, I do remember when CMMC 1.0 came out. The cost for compliance of 800-171 was already assumed.
Katie Arrington: Absolutely, because when the rule, the 7012 clause, the DFAR 7012 clause, went into effect in 2015 by President Barack Obama, who by, oh, by the way, put it into play because we were losing our collective asses. Sorry for anybody listening, but when the J-20 took off six months after the F-35 and had the same canopy flaws as the F-35 the U.S. should have gone for huh? And Barack Obama did. And many things happened that people have forgotten about. You know, no one talks about today or in 2023. Does anyone remember the infamous Geurts Memo of 2018? Because I do. I remember when Hondo Geurts, Secretary Geurts, wrote a memo telling the Navy after the big leak, they want the highest and the best cybersecurity for the Navy. Well, it comes at a cost. And where we are now is it's an argument over who's going to pay the bill and industry failed. Themselves in one area when the original 7012 clause came. Nobody started building their rates around implementing the nest. And now with the OMB rule, I can tell you the arguments I had back in the day with OMB — and I doubt they changed — is they wanted in the rule that I submitted when I was there. They wanted me to include the cost of implementing the next. And I said, no, that's OBC. I'm doing a compliance audit, the cost of compliance. It's much like an ISO. I'm not talking about the NIST 171 because you already put that into law, into effect. I'm not going back in time. That was already there. So we need to understand, and I believe that Congress gets it. I believe our legislators get that security is going to cost something. But industry is still sheepish on actually saying what the true cost is and passing the buck down the supply chain. And that's why the new rule, the new DFARS rule about supply chain risk management, included cybersecurity, is because you can't pass the buck. It's got to, you know, it, you know, water runs downhill. But the responsibility ultimately is at the prime. And if you think the prime is going to continue to work with you knowingly, that you're not compliant. How long do you think they're willing to assume that risk? And if you're working in the DOD and this space, it's, it is lucrative. It is job security. So don't give me that B.S. that people have been saying for years, like small businesses will be OK. Well, if they go, I can promise you there's somebody that'll step into their place. Where there is a need. And Eric, the proof in the pudding, is when we started the CMMC journey and everybody said there wasn't an ecosystem able to support it. Eric, is there an ecosystem to support it?
Eric Crusius: I think we're building one collectively.
Katie Arrington: Yep. But when, if I continued to give away free chicken, would we ever have created capabilities like FutureFeed? Would we ever have network monitoring like we do in the Cloud Instantiation? If you give industry a problem and you actually let industry do what they do best, which is solve it, they will.
Eric Crusius: To that point, I still I have a very distinct memory. You spoke at the Professional Services Council in November 2019. I think it was. I remember at the end of your presentation you said, OK, industry, get together and figure it out. And they all figured it out.
Katie Arrington: They did well because (inaudible That, you know, I will say that the tri associations, but I'll give David Berto a lot of credit. He just said, you know, I'll do, this is the right thing to do and let's get it done. And it was myself, Mr. Fahy and Stacy Bastianich that spoke that day. And, you know, I wish we had leaders like Kevin Fahy, because, my gosh, he just laid it out. He really did understand the problem. And that time in the Pentagon, I look back as revolutionary because you think about the things that were done in that time frame. The Adaptive Acquisition Framework came out right. We created a cadre of IP. We never had lawyers in the department dealing with intellectual property. We created the CMMC, we created supply chain risk management in a real robust way. It was the first real supply chain, an executive order supply chain report, the 13806 that had (inaudible) since World War II. It was such an incredible time of momentum and change and I think that the DOD in some aspects are doing some amazing things right now. I think the zero trust in the cyber workforce are great, but let's not keep compiling things on the industry until we get the basics down. And it's step to step, it's crawl, walk, run. And, you know, if you're doing the NIST 171, I say if you're doing 80 percent of the NIST 171, you're on the pathway to zero trust. You know, I did a post on LinkedIn not too long ago, and I state very obvious things. I don't, I don't write things because it's like, hey, and the world, you know, nothing really is changing here, right? So there was, the White House keeps updating, you put out this amazing cybersecurity policies and we're doing it. It's like, dudes, we have great policy. We just don't enforce it. So writing new policy when you can't enforce the old policy is silly. Let's focus on getting it right. Because the time I mean, we're in an open you know, I say open war with the reality that our, our military ammunitions training is going to fight Russia through Ukraine in a proxy war. And that is my personal opinion. Nobody has to agree with me or disagree with me. I think we're fighting a proxy war with Russia. And we're fighting a non-kinetic war with everybody else. Because they're all in the idea of get rid of the United States, right, we're the beacon on the hill, we're the light on the hill. Nobody in the, you leave the United States, aside from Israel and Poland and Australia, the UK and Canada, how many countries really want us to survive? Think about that. Out of the whole world, 100 and what, 70 odd countries around the world? How many of them really care to have us survive? There are ones that like us because we fund them. We give them a great deal of money. But our ally, you know, the five eye partners, let's look at them. Let's look at NATO, right. We really need to start thinking about this because the world is a very, very, very, very small place now and we need to understand that the U.S. is the main target. There aren't too many direct hits to the UK, there aren't too many direct hits to Canada, there aren't too many, well, there aren't a lot of direct hits to the Australia, will leave it for another day. But think about it, we're pretty much the target of the world, and the industrial base is the target.
Eric Crusius: So I think it's important to then think about how do we move CMMC along faster. It's been four years since the PSC presentation, and it's not that anybody did anything wrong, but it seems like a fairly important program to move as fast as possible. I know everyone's trying to move it as fast as possible.
Katie Arrington: They can do it today, or they can move it today. You can go today. And the primes — I've started this pilot program. You know, there's this supply chain where I am working with the large primes, not all of them, but some, and we're going to start requiring just verification on companies that are working with CUI. And we're going to look to the CyberAB and the certified C3PAOs. And it's not a risk the prime can take when you're not willing to understand. We focus on, you know, in manufacturing if you're ISO certified, well, ISO costs money. You're a lawyer. How many how many companies have you been in without an ISO cert in manufacturing? You have two, and that ain't cheap. But we understand and we do it for safety and quality, right? You think about that. We pay for safety and quality. But we won't pay for security. That's not right. When the rule comes out for public comment, you all have been commenting for three years now. Enough. Don't give the bureaucrats any more fuel to their fire. Get the rule out. Let's make it happen. And then once it's in play and we're actually in it, we can see where we need to make the corrections. Let's do it. So let's not burden with silly questions that you have been told. This is why we're doing it. And don't send something in saying the cost is too high because you're missing it. You already should have been doing it. Let's not waste —
Eric Crusius: (inaudible) At that point.
Katie Arrington: Amen. Amen. And by the way, I think everybody forgets at the end of the day, the longer you drag this out, you are the U.S. taxpayer. The government is you. That's the whole thing that we did here people. And everybody thinks that there's this big black pot of money somewhere, right, that you could just go to. It's your tax dollars. And I don't know about you, but I would much rather my tax dollars not be spent on bureaucrats that are in the building, professionals that are adjudicating comments that have been made for the past two years, three years, the same question adjudicated the exact same way. Move on. Find something new. And telling me that the cost of the NIST 171 is redundant. It is the standard. You must comply. Now, how do we know how the CMMC works and in the audit process in the future, how it really will make a difference? Well, we're not going to know until we actually start using it. So start using it, folks. Start getting your NIST. And if you haven't paid attention, acquisition.gov on August 17 updated the 7021 clause. It's going into effect October 1, 2025, regardless, folks. So if you're doing bidding proposals today and you're in a capture management team and you're not thinking about two years from now, shame on you. You shouldn't have a job. You're not doing your job. Because October 2025, if you wait until that point to get it in line, you're too late because you'll submit that submission and it will be complete. The, you won't be computable. You won't be qualified.
Eric Crusius: It's a, it's a ramp up to get there. It's not, I’ve been telling people for a while it takes a long time. Is it possible, you think that OMB will allow it to be an interim final rule again, or you think we're going to be dealing with —
Katie Arrington: No, the DOD blew that. And I will say the DOD blew, that's not OMB. They gave an interim rule the first time. And the Department of Defense said it was in need of national security. Then the powers that be and — I don't, just I understand the mentality of, you know, that it was a new administration and everybody wanted to double check, but they missed the window. And you can't use the, you know, OMB went on a limb and said, yes, this is an interim rule, go forth and prosper. And that pause kind of says, is it really in the need of national security if you're pausing it? Right. And I don't (inaudible) — like I said, I have the highest regard for the deputy. I think Dr. Hicks is brilliant. I think John Sherman has changed a great deal. I think that, you know, Bill Laplante, these Heidi Shoe, who I mean, these are people who are really trying to do the right thing. It's just they got it got bungled up in transition of people in policy and we missed our window. And I don't blame OMB, to be honest with you, right. If it was for national security, why didn't you continue on the path you were on? So it just happens to be the time and circumstance. And I'll say again, I blame Jesse Salazar. And it's OK to say that now. And it's not defamation of character. He is the one who put pause. He is the person who paused the program, and he didn't know enough to do it. And he's not a bad guy. He just was not the right guy for the job. And it was overwhelming. And it was, I believe, a mistake on his behalf. And not to say that he's not a good person. He is, best of intentions. He didn't know anything about cybersecurity, and he was in charge of this massive program. And they just you know, they didn't equip him with the right tools and that happens.
Eric Crusius: It's kind of like if I guess if I go to court and try to get a temporary restraining order, the TRO, and the judge asks well, what's the emergency? And I'll say, well, this thing happened six months ago.
Katie Arrington: Amen. That's exactly.
Eric Crusius: (inaudible) TRO.
Katie Arrington: And I don't, you know, OMB, I don't blame them. Right now, what I do is, if, you know, we as industry don't understand the impending, you know, the Katie Arrington mindset is our adversaries don't want an election to happen. They don't want us to be successful. 2024 is going to be a really hard year for a lot of people. If people aren't prepared for cyber attacks, ransomware, phishing schemes, they're going to go the way of the wind because the government can only do so much and there's only so much tax dollars available. This is the point in time where we need to use the resources that we have available at a time and a place to do the right thing. And I think we do. I think that there's, you know, the Office of Small Business has programs that can help. We have the MEPs out there, the manufacturer extension partnerships. We have state and local governments that have a lot of funding available. We just need to look outside of our defense bubble and understand that there's a whole lot out there. We just need to know where to go to look for it. And I'm hoping in this, this new ecosystem that I'm creating with a whole bunch — I'm not the only person, there's a whole bunch of us working on it — that we can advance and make the tools, the resources, the funding more available to companies in a faster time frame. So that they can get right because everybody is in the industrial base today is important. If you don't think that you're important and you say it's too hard to work with the DOD, then peace. Go forth and prosper elsewhere. But I'm watching every day. I watch, IT companies are slashing employees and cutting budgets. We are in a recession. We are heading down that pipeline. And the only steady true right now that you can count on going to the bank is federal work and play the odds out. Is it really worth walking away? Are you going to find that kind of customer anywhere else when we have a lot of offshoring? That is a true fact. I mean, although we're trying to bring it back, you know, a lot of manufacturing jobs have gone the other way side and a lot of IT, you know, went to the wayside when they changed the ITAR rules on offshore databases and whatnot. A lot of business left America. So are you willing to fight to keep what you got.
Eric Crusius: I find during recessions that, at least my practice, gets busier because more commercial companies are trying to aggressively market to the federal government.
Katie Arrington: Mm hmm. Oh, absolutely. And the thing is, if people would just, I, too, right. There are things that scare the bejesus out of me. Right. Like, if I'm going in and I have to have a blood work, I'm a cancer survivor, I, breast cancer, breast cancer. When I was in my 30s and my 20s. My 20s. And every time I go in and I'm, I put off getting blood work done and going to have my mammogram because I had breast cancer. I put it off because I'm afraid of the results. I procrastinate because I too am human. And there has to be a point in time where you have to say, I value my body, my being on this planet that I have to pull up, and I say it is pull up my big girl panties, right. And I can because I'm a woman and I pull up, and get it done. And I say that works for companies as well. You know, it's a lot of, I think, fear of the unknown. But when you actually get into it, it really isn't that bad. And, you know, let's just step over to the other side and just dive into it. And there's enough people around you that want you to succeed. They don't want you to leave the industry that know your value, that they're going to be there to help you. But you've got to talk about it. You have to be open about it. That's my thing. Don't be so afraid to make a mistake. Don't be so afraid to take a risk. I'd rather take a risk. Fall early, fall often, and get it right. And I think that's where the CMMC, instead of letting us fall and, you know, figure it out, we put fear into every. So we're so risk averse and maybe that, you know, that — for Jesse, right, he was so risk adverse of making a mistake that it caused this, right? And I don't mean to put it on one person, it's not, it's, just that he happened to be that person. But think about it. In your life, Eric, in anything that you've ever done, what is the greatest feeling of success or gratification you had? It's things that you've taken a giant leap of faith on. And you said, I'm going to dive in. If we don't continue to take risks, we will never grow. We will never get better and take some risks and open the door that you think has got the boogeyman behind it because you open it. And when you find out that there's no cookies behind it, it's a different world. And I pray that people take that. And in your job that you do, you know, a lot of people that are in leadership positions are concerned that they've said things are good for so long, that they're fearful of saying, oh, it's not. Can you imagine, the other day, we talk about, you know, I'm on a text with a lot of CISOs from a lot of different industries. I'll give Elliot Baker and Jarrett a huge — if you don't know Elliot Baker, look him up on Fox hunter, I can't remember the company. It's Fox, Hunter Hunt. Fox. But he started this CISO text chain, right? There's all these CISOs from across the globe on this text that I talk to every day, and we talk about people leaving the CISO environment in droves because they're the responsible party, right. And instead of saying, you know, I'm being brought into the C suite as a CISO and being able to say, listen, my job is to tell you of the risks, right. A CISO should be talking to lawyers every day, right? Here's our risk exposure and how do we close it? And there's always going to be risk. There's always going to be a risk. Do your best. Buy down the risk and get. So we're going through — and I don't mean to date your podcast, but we're going through a massive, you know, the first Category 3 or 4 hurricane to hit a particular area of Florida and Alabama that is unprecedented has never happened. But what did we tell the people and the businesses to do in those communities? Take risk reduction strategies to minimize the impact. Put boards on your windows and doors. Put sandbags to keep flooding. Evacuate. If you take the risk reduction strategies, because bad things are going to happen, and you do those things with the intention that the outcome of a bad thing happening isn't as gravely impactful as it could have been and should not do any of that. That in a nutshell, is it.
Eric Crusius: That's a great analogy. I mean, because even if you take all those measures, you still may lose everything, but you reduce the chances of losing everything.
Katie Arrington: All you've done is reduced your risk exposure. And that's what the CMMC is, is to audit and to say you've done a good job in your risk reduction strategy. Your exposure is as minimal as you can have it. Bad things are going to happen. You know, the cyber insurance companies are looking and you may not think that they have ways to evaluate, but they are using capabilities like — and I will get on Black Kite. It's an amazing tool. If you don't think that companies in mergers and acquisitions or insurance companies are not looking at Black Kite or Exiger, you're to look at what your company is doing, you're dead wrong. They know. They're looking at the reports. They're like, listen, they've got major issues. We ain't insuring that. So don't think that it's not being acknowledged and seen. It's just whether you're got your head above the sand and know it. You know, the ostrich theory here is way in effect. You know, if I bury my head, the problem won't happen. It's going to happen. You're just not going to see it come.
Eric Crusius: And insurance is just so important here because, with breaches are not cheap to respond to. Besides paying my fees there, the fees of the consultants that come in and do an analysis of the breach itself. And we have to determine who to report to, who to report the breach to. And it's usually a very quick, quick turnaround. So, well, insurance is just so important here to minimize those costs.
Katie Arrington: Many people have asked me about that, where they have said, you know, when we talk about the risk exposure and whatnot, when we talk to several companies, you know, who do you call first when you've had a breach? And they say, my lawyer. I'm like, that's the wrong answer.
Eric Crusius: That's what I tell people.
Katie Arrington: I'm like, no, it's DC3, and have your lawyer on the phone with you, but call DC3, you know. And it's that mentality. It's not good for the industrial base because the lawyers — and no disrespect, Eric, I love, I wish I had become a lawyer, I think I'd be a hell of a lot in a different place in this life if I had done that, because I think I can argue with the best of them, and I know the law a lot. It's understand that your lawyer is there to protect what you've already done. Not to — the things that you've done and to show that you've been in the right place, you've done all the right things and that's the position. You know lawyers, you should be able to defend that. But you know, I'm not going to call DC3 until I talk to my lawyer. Well, if your lawyer works 9 to 5, you've got a breach going on and you've got (inaudible), and you're waiting to get your lawyer on the phone to understand what he thinks or she thinks, you're missing it, right? Because the adversary is having a heyday. They're having a heyday. They're in there. They're just, they're just walking all over your stuff. And it's not just the government information they're taking. They're taking everything.
Eric Crusius: Right. I get a lot of calls on Friday nights with breaches, and we have to work through the weekends there. But there are some lawyers who do work that 9 to 5. I'm jealous of them.
Katie Arrington: It's ,it's a different world mindset. And the adversary knows that, right? They know that people may not have their wits about them at the highest, you know, and they send a phishing schemer email that they send at 8:09 when they know that people are working. You know, most people are at home if they have families, or they're, they're out doing activities and they're looking at their phones and they see an email, they are banking on the fact that you're really not thinking about that email. They're banking that your, your employee is looking at it and they're not thinking, is it dot com or dot net? And they're opening the email. They're banking on it. So when was the last time you as a company said, hey, everybody, remember to look at emails, remember to look at who they're from, and do you really want to open this email? Because that's really what the adversaries had the most success in, you know, is in the phishing schemas. And, you know, whatever, you know, there's, there's four or five really good schemes, and how they go about it, but they do them at the most random hours. If you've noticed, it's not generally between the hours of eight and four, it's those off hours that they send them when you're just not at your peak or you may have gone home and you've had a long day and you just happened to pick up your phone and yet you respond to an email, right? We're human, and the atmosphere is banking on that, and that's a whole other podcast. But I think that, you know, this culture of work from home is really not a benefit to work productivity or security. And, you know, how do we get around that or get back to it? I don't know. And that's a whole 'nother podcast.
Eric Crusius: So I think for a lot of people — and I've tried to demystify it some, but I've never worked inside the government — I think a lot of people are, don't know that the rulemaking process is a black box to them. So I was wondering if you could kind of give people some insight as to the rules that OMB right now, what's going on and what we should expect to happen next with it.
Katie Arrington: So what happens is it goes into OMB and then it has to, you know, it goes through interagency coordination. So it goes through all the federal agencies before it ever goes to the public, right? So think about the amount of time frame that takes, right. Trying to get something coordinated within the building can take a year, but it has to go out and it has to be coordinated throughout all the federal agencies. They give their comments, those get adjudicated, then it goes out for public comment. So it’s a very in-depth process. Don’t anybody get it twisted. And then once the public comment period is opened and closed, then the agency that produced the rule has to adjudicate all the comments. So they have to adjudicate not only the interagency comments, they have to adjudicate the public comment. So it's a lot of work. And once that's done, they do a cost analysis, and they determine whether they can afford it or not, essentially. And then that goes through the final rule process if it becomes a rule. So you are looking at a very complex process. It is not easy. And just so everybody knows, the DFAR rules actually start with inside the Pentagon. There's a whole council, the DFAR Council inside the DOD, that you have to work through before you even get to submitting a rule. So you have to give the, the CMMC PMO. They have been working on this nonstop since 2019. Nonstop since 2019 coordinating, adjudicating, rewriting, modifying. And you can have any lawyer and any federal agency raise a question that could bugger the whole thing up. It's very complex, and I don't think it needs to be. And I think that one of the things that we can do when it comes to cybersecurity, is those things can't be there. Because, you know, Eric, you and I were talking before we got on the podcast, you know, post-quantum and quantum computing, the addition of AI into our environments, you know, are the rules right at the right time, is the regulation good at the right time? And it's, you know, it's so we deploy this, right? We've now pushed it to 2025. What's the world going to look like in 2025? At the speed technology is changing, what is it going to look like in 2025? And was the juice worth the squeeze? And I think that’s one of the bigger questions. I mean, that's why I ran for Congress, was, you know, cyber and how do we change how we do policy and regulation to make it at the time of relevance versus the time of the regulation? And, and that's the challenge ahead of everybody right now as we move forward. I give Ron Ross a lot of credit. I love that man. My gosh, I love that man. But by the time Ron is able to get, you know, a new NIST standard out and through all of the processes — because they go through the same process we do right, NIST doesn't just come out with the standard — They have to go through all these again, they put it out for comment, everybody has to come back. By the time we do all that, it's OBE. So the rule process is very complex. I will say one of the guys that I have a lot of kudos for is Jacob Horn, but you too, Eric, have dived into the process, and you understand the complexity of it, and it isn't easy and it's a lot to get things done. I mean, it's amazing we get any rules passed, to be honest with you, with how complex we've made it. So anybody that thinks that this is, you know, that we had a glimmer of hope when they gave us an interim rule because basically they said go forth and prosper. Right now, it's a proposed, and proposed is a whole different animal altogether. And it's very complex. It's very time consuming. And to be brutally honest with you, it sucks up a lot of tax dollars, a lot. And I sometimes wonder if the juice is worth the squeeze. And we started this conversation, and I said originally I never wanted the CMMC to be in a (inaudible). I thought it was much better served in L and M, Sections L and M where the program manager could determine, you know, have the art to tailor in or tailor out security based on the program need. And it's, I wish we could go back to that. If I could rewind the clock, I'd go back to that. And I would have fought harder. And that is my failure, that I didn't fight harder on what I thought made sense, instead of doing what the powers would be. I should have fought harder for you guys. And I'm sorry that I failed in that regard. I guess that's my one failure, is I didn't fight harder because I, I knew the challenges with DFAR rules and I knew from being in the fact that we passed a rule in 2015 that still wasn't implemented in 2019. And I should've known better. But that being what it is, couple of ending things. I don't think Jesse Salazar's a bad guy at all. I think he's a good guy that was put in a bad position. I think our Department of Defense has some amazing people in it today. And like I said, I give props to Stacy Bastianich. I give props to Jon Sherman. I give props to Dave McEwen. I think that they are really trying to do the right thing. But it's really hard when you have rules and regulations and so much oversight that we can't make effective. We are so risk, you know, we're so afraid to make a decision based on failure instead of making a decision and learning from our failures and recouping and recovering and moving forward. So I don't want to just to come across as I'm down on DOD. I'm not. I love DOD. I would love to be in the building again. You know, if the powers that be ever want me back, I'm the first person to come and sign back up because I believe in what they're doing. And I think they're very good people trying to do the right thing in a very constrained environment that does not allow that.
Eric Crusius: I think that's a great way to, to end. I mean, I'll just say it seems like everyone is trying to do the right thing. And I think that's what you've done from the beginning. And I think that's what the folks in that building are doing with respect to our cybersecurity posture. And that's really all you could as for.
Katie Arrington: And it's just, you know, lean in to get the little bit right leaning, because I'll leave this with everybody. You have a birth date and a death date on your tombstone. What did you do at the dash in between? What impact did you make that will make this place better for all when you go? And that's what I live by. I do no harm. I want to make this place better when I go than when I got it. And I think if people took that, you know, and really thought that, instead of it's not about me, it's about us, we would be in a different place. And everybody has a different opinion. You know, you put 40 engineers in a room, you going to 40 different opinions. But there's a common thread in all of them, and you have to find that common thread. And that goes for every aspect of our life right now. And that's not just in cyber or in business or in social. We all have a common thread. And we need to remember that. And that common thread is, you know, do unto others as you would do unto yourself. And treat people the way you want to be treated. And think about business as you would want people to think about your business. And I think if we could kind of get there and not argue on the nit (inaudible) points and just focus on that, we could go a lot further. And this isn't — cybersecurity should never be a political issue. It should never be a monetary issue. It's a security issue. And security is the basis of everything. Costs, schedule, performance are based on security. You raise your family. You live your life based on the security of your life. Otherwise, you wouldn't get a car and put a seatbelt on. Think about that, folks, for a minute. Would you not lock your doors at night if security wasn't a fundamental in your life? And that's all we've been trying to say. It's a fundamental for your business. That's that.
Eric Crusius: I think that's a great way to end today. Katie, really appreciate your insights. Really appreciate you joining us.
Katie Arrington: Take care. God bless. And please remember, everybody, you may not agree with everything I say. I'm a flawed human being like everybody else. But remember this: You live in the best country in the world. One team, one fight. Amen. God bless. And Eric, thank you for having me.