Share This

NeoSystems Corporation

CMMC Podcasts

Podcast Episode 1 – Current Cybersecurity Rules

January 20, 2020 | BY: Neosystems
Share This

Join attorney, Eric Crucius, and NeoSystems CISO, Ed Bassett as they discuss the current cybersecurity requirements for government contractors.

Transcript

Erin Keating: Hello, and welcome to NeoSystems’ debut podcast, NeoCast. I’m your host, Erin Keating, and I look forward to joining you each week as we look to explore all things cloud and cybersecurity, especially those things that relate to doing business with the government. On today’s show, we open a new series called GovCon Rules. In this series, we will release content in four seasons featuring topics such as the new ruling on third-party cyber security certification and much more. Join us each week as we uncover new topics relevant to the government contracting business.

Erin Keating: Welcome, everyone, to season one, episode one of NeoCast GovCon Rules. We’re excited to kick off this series featuring our lead expert from Holland & Knight, Eric Crusius. Today’s topic will be a breakdown of the current cybersecurity requirements for government contractors. Let’s get this underway. Our lead expert on this series, NeoCast GovCon Rules, is going to be Eric Crusius. Eric, thank you so much for joining us for this series. We’re very excited to dive into all these topics.

Eric Crusius: Thanks. Great to be here.

Erin Keating: Thanks. I know that you are a partner with Holland & Knight, and I’m just curious, can you tell me a little bit about your background and how you ended up being at Holland & Knight and specifically focused in this type of work?

Eric Crusius: Sure. I joined Holland & Knight about two and a half years ago. Like most people in the government contracts industry, it’s not something you plan on doing your whole life. You kind of fall into it. I fell into government contracts 10, 15 years ago, and I’ve been focusing on that ever since. But one of the interesting things about government contracts is… I always say that lawyers who practice in this space are specialized generalists, because government contracts touches everything.

Erin Keating: Right.

Eric Crusius: There’s employment law specific to government contracts, real estate specific to government contracts, and there’s also cybersecurity specific to government contracts. One of the things that I do as a well-rounded, hopefully, government contracts attorney is help people with their cybersecurity compliance. Because of that, Systems is a big player in that field. I’ve came across them, and I’ve done seminars for them. We’ve worked together a bunch. That’s pretty much why we’re here today.

Erin Keating: Great. Well, I know that we have a lot of great topics lined up for this particular podcast. We’ve got a couple of seasons coming forward, but in our first one, we’re going to be talking about a new ruling, third-party cybersecurity certification, that’s now required for contractors to do business with the federal government. For our first topic, we want to go ahead and dive into the current cybersecurity requirements for contractors. Just to kick us off, can you just let us know, what are some of the main regulations contractors need to know in order to be in compliance with cybersecurity requirements to do business with the government?

Eric Crusius: Sure. The two biggest ones really that are out there now is a DFARs Clause, Defense Federal Acquisition Regulation Supplement. I’ll just spout out the number, even though it might be meaningless to some people, 252.204-7012. Then there’s a FAR Clause, Federal Acquisition Regulation Clause, that is 52.204-21. Those two different clauses are really the main ones that govern what contractors are required to do to be cybersecurity compliant at this point.

Erin Keating: Okay. Are there specific regulations that are within those clauses that people need to be thinking about?

Eric Crusius: Sure. Yeah. The DFARs Clause is by far the more difficult one to comply with. Right now, we’re in the process of waiting for a new FAR Clause to drop, because most people say it’s not stringent enough like the DFARs Clause is. The DFARs Clause has to be pretty much in every contract with the Department of Defense. All DOD contractors have to be compliant with it if they possess certain types of information on their systems. We can go into as much detail as everyone can stand, but basically this clause requires contractors to take certain steps to protect information on their systems that they have. It also requires contractors to disclose to the government if they’ve had some kind of cyber breach and make their systems available for the government to kind of review what happened with the cyber breach also.

Erin Keating: Do they do audits then on individual contractors that might be coming in if there is anything in their past?

Eric Crusius: They don’t do audits on the front end. If there is a breach on the back end, they will do an audit then and kind of look at the system and see what happened and try to understand what happened.

Erin Keating: Right. This is such a big topic, whether you’re a consumer or a contractor working with the government. It seems like that data compliance is very important. You mentioned DOD contractors. Who else might need to be worrying about these main regulations? What types of contractors?

Eric Crusius: The interesting thing is that this is something that’s required all the way down the supply chain. Even if you’re not a direct contractor with the federal government, as a subcontractor, you need to worry about this if this clause is in your subcontract agreement with your prime contractor. It could be flowed down where that responsibility is passed on to you. If you look at a lot of the major cyber breaches that have happened over the last number of years, everyone remembers the Target breach.

Erin Keating: Sure.

Eric Crusius: The hackers didn’t actually breach Target itself initially. They breached a subcontractor to Target who was providing a very limited service to Target. Then from there, the hackers got in and got into Target’s system.

Erin Keating: Right.

Eric Crusius: A lot of times, these breaches happen through a subcontractor. I think the government was careful to require these prime contractors to flow these requirements down to the subcontractors and ensure that the subcontractors’ systems are also similarly protected. There are some companies who feel they are too small to be hacked, and that’s just not true. I was giving a cybersecurity seminar a number of years ago, and a person came up to me who had two or three employees and said that they were hacked by a foreign power.

Erin Keating: Wow.

Eric Crusius: Just because this contractor had information that the foreign power wanted.

Erin Keating: Sure.

Eric Crusius: There’s no such thing as too small.

Erin Keating: Too small. Yeah.

Eric Crusius: You may be too big to fail, but you’re not too small to be hacked.

Erin Keating: Right. Right. Just out of curiosity, as being a layman, as I sort of tend to be on these podcasts for NeoSystems, to make sure someone’s asking the dumb questions, if you will, but what kind of burden does this put on individual contractors from a financial perspective? What types of things are they incurring to be maintaining this compliance?

Eric Crusius: Well, it’s kind of interesting. The government has been moving significantly in recent years to try to bring more commercial companies into the government contracting fold, breaking down requirements that are out there now that make it difficult for contractors or for companies who want to be contractors to do business with the federal government. There are two related exceptions to that. One is cybersecurity. The other is supply chain. They’re kind of interrelated also a lot of times. But this has definitely raised the barrier of entry for companies who want to do business with the federal government because it’s not cheap to pull out… especially the DFARs requirement, look at it, and understand the 50 to 100 or so separate NIST requirements that are within the DFARs clause and figuring out, “Which ones do I comply with? If I don’t comply with them, how do I get compliant with them?”

Erin Keating: Right.

Eric Crusius: Luckily, and I didn’t mention this before, but the underpinning of the DFARs Clause, it requires… When I mentioned that it requires contractors to keep information on their systems secure, that’s under… The National Institute of Standards and Technology has issued kind of guidelines about how to do that. The guidelines are in this document called NIST Document 800-171. Within that document there is… I forgot to count, but it’s around 75, 100 separate requirements.

Erin Keating: Wow.

Eric Crusius: Yeah. Some of them are pretty basic about having certain kinds of passwords and making sure people sign in when they come to a place where there’s that protected information, but there’s also more complicated requirements too. Luckily, 800-171 is written in a way that is very understandable. It’s not written for an IT person to read. It’s written for a lay person to read, even a lawyer like me. I can read through the document and kind of understand, “Okay, these are the things that a client needs to do, and this is how I need to advise them.” But just the same, a company could look through that and do the same thing. There’s a portion in the document that’s just kind of essentially a list of the requirements. I always encourage clients, “Look at that list and see what you’re doing, see what you’re not doing, and then you’ve narrowed down significantly probably things that you have to worry about,” because usually companies that have any kind of a robust IT system are doing 80% to 90% of what’s in that 800-171 document.

Erin Keating: Gotcha.

Eric Crusius: Granted, the ones that are not doing it are probably going to be kind of difficult to put into their system and to make sure that they’re compliant with, but they’ve eliminated a lot of the noise and a lot of the difficulty behind it.

Erin Keating: Right. Were there a lot of ways in which you wanted to do business with the government before that had already required this NIST list of requirements, so therefore, a lot of businesses may or may not already be in compliance, for the most part, without even knowing?

Eric Crusius: That’s maybe true. There may be businesses in the commercial space, because 800-171 is just kind of good practices.

Erin Keating: Sure.

Eric Crusius: There may be companies that are not doing business with the federal government now who are already compliant with it without even realizing it. There may be a couple of small holes, like, “We’re not doing one or two things,” but for the most part, doing business with the government is not a heavy lift, especially with technology companies. The companies that the government’s really trying to attract from Silicon Valley are probably doing most of these 800-171 things, because NIST brings in technology experts who are not government experts.

Erin Keating: Sure.

Eric Crusius: They hopefully understand the technology and are providing requirements that are consistent with what the technology requires, not a requirement just for a requirement’s sake, which happens sometimes.

Erin Keating: Yes. Is there insurance that people need to be considering as well? As part of the requirements to be compliant, are you needing to… I would imagine that’s an undue burden… well, not undue burden, but an additional financial burden potentially that a lot of these contractors might need to be thinking through?

Eric Crusius: Definitely. It is not a black letter requirement, but a lot of companies do get…

Erin Keating: Do get it just to…

Eric Crusius: … cyber insurance, and there’s a couple of kinds. There’s the kind of insurance that covers you if you have a breach, paying the damages that have…

Erin Keating: Sure.

Eric Crusius: … because of the breach. If you have to pay out employees because their personally-identifiable information was released, there’s insurance that covers that. There’s also insurance that covers the expenses due to a breach, such as paying for a lawyer to come in…

Erin Keating: Lawyer. Right.

Eric Crusius: … and figure out what happened and what kind of disclosures need to be made, some kind of IT consultant, all that kind of stuff. Then there’s also policies that combine both, but you have those two separate kind of insurance that is available.

Erin Keating: Now, you did mention that no one is too small to get hacked, but in the current state of the regulations and requirements, are there any exemptions that are made for specific… I don’t know as much about set-aside business and small minority-owned businesses and things like this, but are there any exemptions that are currently out there for smaller contractors where they’d not have to overcome this barrier to entry?

Eric Crusius: Unfortunately, there is not exceptions for small businesses right now, and it’s just the nature of it because it’s so important and because the government realizes that small businesses can be hacked just as much as a large business can, and they’re kind of a weakness in the system, that small businesses are also subject to this, unfortunately.

Erin Keating: Right, which I guess reiterate the point that any large contractor out there listening to this particular podcast right now does really need to consider what subcontractors it brings on, because it really does trickle all the way down even to the smallest consultant you may have working on a project.

Eric Crusius: Absolutely. I always tell people that your subcontractors, you’re essentially marrying them, because you’re in that same leaky boat with them. If that leaky boat really becomes even more leaky, you’re all going to take on water together.

Erin Keating: Right. Is there a difference between defense and civilian contractors and what they need to do for these particular requirements?

Eric Crusius: Yeah. As of today, the regulations are quite different. There’s a new civilian clause that is in the works that we haven’t seen yet that’s going to probably change what civilian contractors need to do at this time, but the civilian contractors have a much less stringent requirement, whereas you have this DFARs Clause that impacts DOD contractors that has, give or take, 100 requirements. You have the civilian clause, which, if I’m counting properly, has about 15 requirements, and they’re very general, whereas the DOD clause, which imputes the NIST 800-171, is very specific. The thing about what 800-171 is it doesn’t tell you how to do something. It just tells you what to do.

Erin Keating: Okay.

Eric Crusius: Contractors have flexibility about how they accomplish those goals. The FAR Clause for civilian contractors is even more broad, where they just kind of give you 15 general things that you’re supposed to do, which is, for instance, identify a report and correct information and information system flaws in a timely manner. What’s a timely manner? I don’t know.

Erin Keating: Sure.

Eric Crusius: It’s very amorphous, but it’s just telling you that if you see a flaw, you’re supposed to fix it, whereas if you look at the NIST probably equivalent, I don’t have it in front of me right now, but it’s going to be a lot more specific than that.

Erin Keating: Like within 30 days?

Eric Crusius: Yeah. Yeah. Yeah, and what kind of flaws have to be fixed. There’s more to worry about.

Erin Keating: Now, when someone is beginning or in the middle of becoming a government contractor, when they are putting these clauses in their contract work with the government, is there additional backup information that they need to be supplying every time they’re going out for a contract? Does this need to be very documented and kept in specific order? Is that dictated by these regulations?

Eric Crusius: One thing contractors need to do is develop a system security plan, and that’s just a requirement. But besides that, there’s nothing that they have to document. The problem that the government has had, even with this stringent DFARs Claus, is they sense, and they’re correct in sensing this, that a lot of contractors just don’t comply with it.

Erin Keating: Sure.

Eric Crusius: Some don’t even try.

Erin Keating: Right. They’ll leave the clause in the actual contract, but then they just don’t actually comply with it.

Eric Crusius: Right.

Erin Keating: Okay.

Eric Crusius: That’s leading to some problems, obviously. One is there are breaches, and the second part is for contractors, that if you see the clause in there and you make no effort to comply, that can form the basis of a false claims action, whereas you have an internal whistleblower that says, “Hey, what are we doing to comply with this DFARs Clause?” and the leadership in the company says, “We don’t care about that. We’re not going to comply with it, even though we’re signing invoices that say that we are compliant with it.” All of a sudden, that’s a false claim potentially.

Erin Keating: Sure.

Eric Crusius: The government kind of sees this happening, and they see the fact that there’s still a lot of companies who are not compliant with this. This is obviously a big priority. They’re trying to make contractors a little bit more accountable for that. One way they’re going to do it, and as we’re going to discuss in the not-too-distant future, is having this certification requirement.

Erin Keating: Right. Okay.

Eric Crusius: The government is also making cybersecurity compliance a basis of award. When you’re bidding on a contract, the government typically will list, sometimes kind of cryptically but sometimes very clearly, the things that they’re going to consider whether you’re going to get a contract or not. The government is starting to list your cyber security compliance as one of those factors and will ask you to write about your cyber security compliance in your proposal. They’re trying to think of ways to make contractors a little bit more accountable.

Erin Keating: Sure. Knowing that anyone listening to this podcast who’s beginning to pull all of this together, it’s very smart to be documenting it and having it in a specific space so that you can share that information, and potentially if there’s certification requirements in the future, to actually say that you are certified, you would have all that documentation in place, save yourself a lot of trouble in the future.

Eric Crusius: Right. Absolutely. Yeah. To that point even is that if you have this government information on your systems, the best advice I can give is to have it on one server or one hard drive or one spot, because the government will have a right if there is a breach or an attempted breach to come in and do an investigation, but that right to do an investigation is only limited to where the breach happened. If you have your information spread in a server that is commingled with everything else in your company, the government will see that everything else when they do an investigation. If it’s on a separate drive or a separate server or a separate whatever, the government won’t have that right to see everything else in your company.

Erin Keating: Okay. Good to know. Duly noted. That probably leads into another question. What kind of data is covered by the claws?

Eric Crusius: That’s a really good questions. It’s a very interesting question. The clause covers what they call controlled unclassified information. The contractor has to possess this kind of information or have it on its systems or create it for the government. The thing that I think is making compliance difficult or making things difficult for contractors is the fact that this controlled unclassified information category, which everyone just calls CUI, is so broad that it covers just about any nonpublic information.

Erin Keating: Right.

Eric Crusius: There’s a what’s called a CUI registry that the National Archives hosts. Anybody can kind of go look at the full list, and I don’t want people to tune out, so I won’t read everything that’s covered.

Erin Keating: Important.

Eric Crusius: But really, if you just look at the list, I’ll give a couple of highlights. You have export control information, so things that are subject to the export control laws, law enforcement information, so any kind of criminal records or national security letters. There’s legal information including administrative proceedings. I’m just looking at other ones as well. Patent applications. There’s also proprietary business information, which is what would be the catchall for a lot of people, which one if the categories is general proprietary business information under that, which can cover just about anything if you look at it. The kind of information that a contractor would possess that would be covered by this is very broad, and that’s kind of the hook for a lot of contractors.

Erin Keating: Sure. Sure. Just for everyone listening to this particular podcast, just please know that in our show notes we will provide links for anything that’s been mentioned on our episode today. But this leads me to the question of whether companies need to consider individuals like yourself that are outside counsel that can help them really look through these requirements and regulations and better decipher what they need to be cautious of or what size companies have internal compliance offices or internal counsel. Do you have any generalized thoughts on what size your company is or when it is smart to think about outside counsel, and at what point in the process of becoming a government contractor in these specific fields is it important to consider that?

Eric Crusius: Well, I always say it’s much less expensive and much easier when things are dealt with on the front end than the back end.

Erin Keating: Sure.

Eric Crusius: For most people listening, that ship’s already sailed, but the time to really kind of look at this stuff and understand it and become compliant with it is before you get your first contract. But for most folks, that wasn’t possible because these regulations are fairly new, so they were already in the government contract space before. But for new folks looking to enter the space, it’s then… The size of the company really dictates what kind of resources a company has internally. A big Fortune 100 company will have a lot of this expertise in-house, even on the legal side. But even those companies usually go outside and pull upon the expertise of somebody who’s been through the rodeo a number of times, so to speak.

Eric Crusius: Smaller companies especially, and I represent a lot of small companies, where they just don’t really have internal legal resources at all, just have to outsource everything. That’s the most cost-effective way to do it, because you’re just borrowing somebody’s time for a little while. Then you don’t have a commitment to them after the fact. But for the most part, to deal with this specific an issue, because it’s so specific, you generally need not just outside legal counsel but maybe some outside technical support to understand the requirements. Like I said though, the 800-171, a lay person can read through it and understand it and know where their shortfalls are. Where a technical expert may be needed is how to fix or meet those shortfalls, but there are third parties also, if you host your data elsewhere and things like that, that take care of that. For the most part, I think outside help is generally the most cost-effective way to go about this and probably the necessary thing to do.

Erin Keating: Sure, which of course then leads me… Whenever you say outside counsel, you’re normally thinking in your brain, “What would repercussions that we might be facing? What things are we trying to be preventative about?” What are some of the repercussions that a company could face if they aren’t compliant with these things?

Eric Crusius: The main repercussion, there’s a couple, for instance, is violating the DFARs Clause or not being compliant with it. The first is the government can cancel your contract, and they could cancel it for default, which means that you as a contractor are not entitled to get any kind of follow-on work from the contractor, and it’s a black mark against the company. It’s harder to get new contracts then. You may get terminated for convenience, that the government doesn’t want to go through a rigamarole of terminating a contractor for default. That still means the end of the life of the contract.

Erin Keating: Sure.

Eric Crusius: Government contracting is a little different than contracting between two private parties, where the government can walk in at any time for any reason and cancel a contract.

Erin Keating: Yep.

Eric Crusius: They generally don’t like to do that. It’s a pain for them to do that, because they have to re-procure it, but they have that power. That’s one of the main repercussions, and that’s probably the first line of defense repercussion. The other one, which I kind of alluded to earlier, is this idea that a False Claims Act case can be filed because of a lack of cybersecurity compliance. There have been a couple of cases recently that have passed the preliminary stage that have allowed those claims to go through.

Erin Keating: Wow.

Eric Crusius: Contractors, just like with other requirements that are written into the Federal Acquisition Regulation or the DFARs, noncompliance with those and, essentially, purposeful noncompliance with those or just putting-your-head-in-the-sand noncompliance with those can result in a False Claims Act suit, which are very expensive to defend and can be very harrowing to defend, especially the if the Department of Justice joins in with a case that’s filed by a whistle-blower and you have the whole weight of the federal government behind the case against the company.

Erin Keating: Again, being a layman that doesn’t deal a lot in this particular area, are there even chances for this to open up against individuals? Is it always going after the contractors? Are there even individual compliance officers or CEO’s and things like that of these contracting firms that could be liable in the future?

Eric Crusius: Yes. The short answer is yes. One thing that can happen is if the government finds that or a court finds that an individual was purposefully noncompliant or just really ignored the requirements. They could be suspended or debarred under FAR Part 9, which requires you to be a responsible individual or a contractor to do business with the federal government. There’s also other preexisting laws and regulations that have been written in and litigated over many times that prohibits people from entering systems and are allowed to enter and things like that, exceeding authorized access, looking at emails that they’re not supposed to be looking at. Individuals that go into systems and go too far or go into a system they don’t have authorization to go into can be subject to those laws, which had been around for a long time as well.

Erin Keating: An even bigger reason why people really want to pay attention to this…

Eric Crusius: Yes. Absolutely.

Erin Keating: … corporately and individually. I know that in our next episode we’re going to get into where the certification requirements are now and what to expect, but before we get to that episode, the last question at least I have for you is you mentioned that some of these individuals might’ve already been contractors or most of the people probably listening to this are existing contractors to the government. Are there any grandfather exemptions or things like that for existing contractors working within the system, having not already complied with these requirements?

Eric Crusius: Unfortunately, no. There had been, where they announced this and they said, “Six, nine months later, you have to be compliant with this,” but this period was December 31st, 2017.

Erin Keating: Okay. We’re long past it.

Eric Crusius: That unfortunately has passed. Yeah. With new structural requirements like this, there is a period where the government expects that contractors informally are going to be getting up to speed.

Erin Keating: Sure.

Eric Crusius: We’re probably past that point now as well. In my conversations with government officials just in my practice and doing presentations and things like that, they have indicated that they have lost patience with the contractor community and…

Erin Keating: I’m sure.

Eric Crusius: Yeah, and they’re going to be really focusing on this.

Erin Keating: Right. Well, and they need to because it’s under such public scrutiny as well.

Eric Crusius: Yes.

Erin Keating: I imagine it’s for everyone’s sake. Well, thank you, Eric, so much for joining us for today’s topic. I am looking forward to speaking with you again when we can get further down the rabbit hole of what the certification looks like now and what changes we can expect in the future. Thanks so much.

Eric Crusius: Thanks. Thanks for having me.

Erin Keating: Absolutely. This part of the episode, we’re going to welcome Ed Bassett, the chief information security officer for NeoSystems, to talk a little bit about how NeoSystems might be there to help prepare individual contractors working with the government in advance of this Cybersecurity Maturity Model Certification, CMMC, that we’ve been speaking with Eric Crusius about. Ed, we wanted to talk to you a little bit about how your company’s been preparing yourself to be a better service contractor to those that might be doing business directly with the government. One thing that came up was the FedRAMP Requirements and the ready designation that you all have obtained. Can you tell us a little bit about what that designation means and what it took for you all to get it?

Ed Bassett: Sure. Thanks, Erin. We saw the need for increased security as we brought our hosting platform to market several years ago. We’ve always been focused on the government contracting market, so we built it from the ground up with security in mind. But then as the FedRAMP program started coming out and we saw FedRAMP being brought into play by the DFARs Clause, I think Eric’s talked about that DFARs clause that applies to Department of Defense contractors, if they use a cloud service, then that cloud service has to meet FedRAMP standards. We said, “We want to bring our cloud hosting offering up to that standard to make sure that we can assure our customers at the time that they buy that we are in fact meeting all those controls.” About two years ago, we started down the path of getting our platform FedRAMP certified. There’s about 325 controls that are required at the moderate level, which is the security impact level that we’ve chosen for this offering.

Ed Bassett: It meets the needs of about 95% of our clients, so everything, controlled and classified information, all the things Eric’s been talking about are all processed in the systems at that moderate impact level. There’s about 325 controls that have to be addressed. Many of them we already had in place, of course, but under the FedRAMP program, you have to meet their very specific requirements in each of those 325 areas, and you have to have it independently audited by a designated auditor that’s qualified to certify those things on behalf of the government. Then you have to take it in front of the FedRAMP Project Management Office and basically explain how your system meets their standards, answer technical questions, administrative questions about controls we have in place, how we monitor and manage those controls. The government is looking for a very high level of assurance when they certify someone as FedRAMP under the FedRAMP program.

Erin Keating: I’m sure. Why doesn’t everybody have this certification? It sounds like a lot of work that you all have put into it, knowing that that’s one of the barriers to entry and working with the government. Tell us a little bit more about what’s so difficult about getting the certification and why it was so important for you to get it?

Ed Bassett: The difficulty is imposed intentionally by the government. They want it to be a high bar, right? They want to make sure that the government is procuring cloud services that are secure, meaning that they’re carried out of the service providers that are delivering those services, take security seriously, have made the proper investments, and are applying the right resources to not only build it securely, but maintain and manage it in an ongoing way, where it’s secure all day, every day. They make the bar fairly high. It’s heavily documented. It’s technically challenging. In that sense, it takes quite a bit of commitment for companies to go and get that. It’s not important for all companies. Right? For NeoSystems, very important for us because we focus on the federal government contractor marketplace. That’s about 90% of our business.

Ed Bassett: We know that the majority of our clients fall under the DFARs clause or other regulations where the FedRAMP is the standard that they need to use to judge their cloud providers. When our clients go to buy cloud services, they look in the DFARs Clause to see what the security requirements are that are imposed upon them, and a cloud service provider provides FedRAMP moderate equivalent security. They need to evaluate the company they are getting ready to buy from to see, “Are they in fact meeting the FedRAMP equivalents?” The easiest way for them to do that is to shop on the FedRAMP Marketplace, the official website published by the FedRAMP Project Management Office. It lists all of the cloud service offerings in the marketplace which are FedRAMP certified.

Ed Bassett: For us, it was very important to be on that list because clients then know, with a high level of assurance, that we meet the standard that they’re required by their contracts. If they choose a cloud service provider that’s not on that list, they have to make that evaluation themselves. They have to evaluate all the security being done by that cloud provider. That’s a difficult, time-consuming process. By going through the independent audit, some independent party has certified that we do in fact have all the proper controls, and now we’re listed in the marketplace. It just provides an easy shopping experience, easy for our customers to evaluate the quality of our security.

Erin Keating: Right. It seems to mimic actually the process that the government is trying to do with the CMMC, which is to then get the contractors who are working directly with the government to also have a certification that puts them at ease. It’s nice to see that there’s some redundancy in the certification and designation so that all the way through the process you’re relying on vendors that can be counted on for cyber security.

Ed Bassett: That’s right. Both CMMC and FedRAMP rely on a third-party independent audit. I think the government… They started the FedRAMP program because they were seeing that they were over and over and over evaluating the same cloud service providers. They said, “We want to evaluate once and have everybody be able to rely on that.” They designed the FedRAMP program to have a consistent way to do the evaluation so that it could be consumed by any government agency. That same thing happens with CMMC. Prior to CMMC, contractors self-attest that they meet the government’s requirements, but the government doesn’t really have any assurance. They don’t have a way to know. Rather than each agency evaluating each of their contractors on an individual basis, CMMC is a way, across the entire Department of Defense, to have a third-party audit done in a consistent way, that any portion of the DOD that wants to contract can know, based on their CMMC certification, what their level of security maturity is, so reliable, reusable. Audit once, use many is the concept in both cases.

Erin Keating: Sort of like measure twice, cut once, right?

Ed Bassett: Exactly.

Erin Keating: Yeah. What product of NeoSystems is FedRAMP-ready right now?

Ed Bassett: The cloud offering that we have in the FedRAMP Marketplace is our cloud hosting offering, NeoSystems.Cloud. It is application hosting, again, designed specifically for federal government contractors. It’s a platform as a service, meaning that we take care of the infrastructure, data center, hardware, all the things that make up the base foundation. Then on top of that, we build servers, operating systems, databases, and we manage up to that level. Then our clients in that platform can host a variety of different enterprise applications. Clients can bring their own applications to the table. We offer some applications as an application service provider, where we do the application support up into the application layer so that they can use that platform in a variety of ways. Most of our clients are using it for hosting their ERP, finance, accounting, financial planning, those kinds of systems. But again, it’s a flexible platform designed to meet the needs of federal government contractors.

Erin Keating: Wonderful. Well, I can totally see how a lot of contractors who are looking to become compliant with CMMC would find your services, and specifically that designation, really crucial and important for them, making sure that they have all of their ducks in a row as far as being certified on their end. That’s great to know that these are services that are available.

Erin Keating: The NeoSystems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors? Smart organizations are paying more attention to their strategic back-office operations. NeoSystems offers scalable back-office services and solutions to improve your organization, with a team of industry experts, industry-leading information technology tools, and an advanced technical infrastructure. From software hosting and security solutions to managed accounting services, NeoSystems will custom-build solutions and services that are tailored to fit your organization’s needs. Check us out on the internet at NeoSystems C-O-R-P dot com. That’s NeoSystemsCorp.com.

Software & Industry Partners