Share This

NeoSystems Corporation

CMMC Podcasts

Podcast Season 4 Episode 1 – WashTech CISOs Speak: Amy Howland and Jonathan Stammler

April 07, 2020 | BY: Neosystems
Share This

We have started a new series to hear from some of Washington, DC’s best and brightest CISOs. Join us in this episode as we talk to Jonathan Stammler of LMI and Amy Howland of Perspecta.

Transcript

Erin Keating:
Welcome to NeoCast. Join us each week as we discuss challenges in government contracting, strategies and solutions for your businesses. We’ll dive into managed IT, cybersecurity, workforce advancement and much, much more. Sharing is caring, and we’ve got top shelf advice to help you navigate today’s biggest challenges. Let’s get to it.

Erin Keating:
Hello everybody. Thank you for joining us today. We are starting a new series within the NeoCast Podcast called WashTECH series, CISOs Speak, and we are excited to have Jonathan Stammler with LMI today with us and Amy Howland with Perspecta to talk a little bit about CMMC. The news everywhere right now is, of course, around coronavirus, and COVID, and emergency planning, and I’m sure that we will get to a point in our conversation where we talk how that is impacting our preparedness for CMMC, but we wanted to make sure that we start talking with CISOs across the country right now and how you all are starting to face the certification process and how you’re preparing yourselves as prime contractors as well as all of your subcontractors in this process. So, thank you so much Jonathan and Amy for joining us today. I appreciate it.

Amy Howland:
Nice to be here.

Jonathan Stammler:
Thank you.

Erin Keating:
So, if we could just take a quick moment and have each of you introduce yourselves, I’d love to hear a little bit more about LMI and Perspecta and your current roles and maybe even just a quick snapshot of how you got to this current role. So, Jonathan, why don’t we start with you?

Jonathan Stammler:
Sure. So, LMI, Logistics Management Institute, we started about 55 years ago as an FRDC. Since then, we’ve grown, and we support national security, health and defense markets. We started out as strictly logistics but we’ve expanded our services to the government, cross digital services, management advisory and advanced analytics. For me personally, I have been at LMI for about six years. Started off as a security analyst and kind of have been building the security program from scratch over that time. So, started out doing audits and getting LMI accredited to those standards, and then into 800-171, and now today, getting the organization prepared and ready for CMMC.

Erin Keating:
Great. Thank you so much for being here. Amy, how about you?Could you let us know a little bit about your career path and Perspecta as a company and where you are now?

Amy Howland:
Sure. So, I’m the Chief Information Security Officer for Perspecta. While Perspecta is, just in June, coming up on being two years old, we have a very long history as well. So, we are a merged company, back in June of 2018, starting out as Vencor and the US Public Sector, DXC, which actually has a very long history with Hewlett Packard enterprises and going back to Electronic Data systems, EDS. So, it’s between that and the Risk Decision Group or Keypoint Technologies as a background investigation, it’s the merger of multiple different types of companies and cultures that have been coming together as one Perspecta over the past two years. So, I started just after they became Perspecta, so about one and three quarter years. Prior to that I was in a similar industry as a CISO for two years with another defense contractor. So, at that point, had gone through the NIST 800-171 when that came out. And so the past two years at Perspecta have really been working on integration, which is another challenge in and of itself, and integrating the multiple companies into one common set of controls, one SOC, etc.

Amy Howland:
So, I started my career as a financial auditor and made my way into cybersecurity, so it’s been a wild ride.

Erin Keating:
That’s awesome. Well, I know we’re also going to be starting some series specific to COVID around what people can be doing in this time of either uncertainty, unemployment even, or downtime and preparing for careers in cybersecurity. So, I bet both of you would have some great insights for folks who are out there trying to figure out certifications. When I looked both of you up on LinkedIn, I could see just a mountain of certifications, so I’m sure there’s lots that people can be doing out there in the field to be readying themselves for the cybersecurity and managed IT industry.

Erin Keating:
And of course, with CMMC hitting now and supply chain management becoming a little bit more challenging, to say the least, for everybody, it still remains top of mind for everybody in the defense business for sure, and government contracting, CMMC despite what’s going on with coronavirus and COVIT-19 it’s still a paramount to your ability to win contracts in the future and in the very near term future. So, tell me a little bit about what both of you guys are hearing related to CMMC right now and what the communications have been so far to any of the subs that you’re working with as far as readiness for this.

Amy Howland:
Sure. So, one of the strongest messages that’s coming across, regardless of what’s happening, is DoD is not slowing down. So, I think I saw a webinar with Katie Arrington just last week, and they’re still on target, still focused, and there’s a lot of things that are still coming out. So, I think what everybody’s continuing to do is having those internal assessments for readiness, but what folks need to do is take a look at their plans, their plans of actions and milestones that might have already existed, which were okay for NIST 800-171, and really working on remediating those now that programs are no longer going to be allowed for CMMC. So, I think it’s bringing forward some new challenges, and it’s making a lot of people look at where does their CUI, their controlled unclassified information, where does that really reside within your organization? And if you’re trying to narrow down your scope, really identifying where it is, and that’s not always easy for everybody to do.

Amy Howland:
But I think with CMMC, as the controls are being assessed for how they’ve been in place, it’s not so much just how they’ve been implemented, but now it’s what’s the maturity level as a company. Where are you? Do you have everything documented? Do your teams know the processes? And taking it from where it’s been to, obviously, CMMC is bringing this new level from a maturity perspective. So, I knew that’s what we’re doing at Perspecta, and I’ve talked with a lot of peers and they’re doing the same thing. In regards to our subs and business partners, there’s really a big education level, so within the company, making sure that your business leadership is engaged, that your BD is engaged, your supply chain is engaged. So, I know we’ve sent out letters to all of our subs and partners right after CMMC was released to make sure that folks were aware of it, especially the smaller businesses, and letting them know that they need to be ready.

Amy Howland:
So, I think the message is really making sure that your teaming partners have a sense of what level they might need to be assessed to and making sure that they’re on their way, because that’s something that is not going to happen quickly.

Jonathan Stammler:
Yeah. I think we’re all closely looking at the accreditation body because it’s not quite clear on how the assessments are going to go, how that’s going to be structured, how you get line compared to when your contracts are coming through that have the CMMC requirement. Everybody is assessing the controls but also, are they a level three? Are they going to put the whole company to level four? What does that take? What are the large ticket items that are large technology purchases that really affect all employees such as DLP, or if they haven’t yet, multifactor authentication? And starting those larger projects now so that people don’t completely get disrupted in their day to day work. Solely implement these controls.

Jonathan Stammler:
We’re also looking at from our subs is, not all the subs are going to be able to hit level three accreditation. They might hit level one or level two, but we still may need to work with them because those are our partners, we’d still like to do business with them. So, what can we put in place to help speed them up or infrastructure we can offer that is accredited at level three to conduct that work? I think it’s still a little unknown on how the contracts will be structured, on what level different contractors have to be from a data or what you’re doing with the data perspective. So, I think we’re closely monitoring that so we can know which way to shift. But overall, constantly assessing, real self-assessments and starting to tackle those large ticket items.

Erin Keating:
Yeah, I know that’s a lot. What we talked about a couple months ago when we started the CMMC conversation is how do we prepare, even just some of the smaller subcontractors who may not have the IT infrastructure in place to even get up to the levels that they need to be able to get to in order to service larger contracts that they’re on.

Erin Keating:
So, what are some of the challenges related to the technology CISOs are seeing these days and some potential solutions? And I imagine this might be a good time to bring in the current crisis that we have right now is, are you seeing different technology challenges than you thought you might have based on complete remote workforces and having to truly do lot of this work in preparedness in the cloud or remotely or whatever solutions you are having to come into place? Could you speak to that a little bit?

Amy Howland:
Sure. So, I think Jonathan mentioned a lot of the technologies that come into play, and I think the level of challenge is different because sometimes it depends on what size business you are. Some of the smaller businesses might have not looked at some of these challenges before, but just because you’re a large business doesn’t mean that you have all your controls implemented or that you’re bringing in acquisitions or different types of companies. So, I think on top of some of the technologies that Jonathan mentioned are things like multifactor authentication, for folks who haven’t had that already, an MDM solution, Mobile Device Management. And there’s other things that I think are proving to be a bit challenging from an industry perspective in regards to things like FIPS 140-2 validated.

Amy Howland:
And so there’s been some discussions among my peers where there’s actually some things that don’t work with GCC High, the Microsoft cloud environment, and obviously many of the defense contractors are in GCC High because that’s how we’re supporting the ability to protect controlled unclassified information. So, I think there’s a challenge in how folks are looking at their policies and making changes to enforce things a little differently than how they might’ve wanted to, so I think there’s a lot of solutions coming in play.

Amy Howland:
But there’s never enough people, as we always talk about in cybersecurity, and so resource and budget is always a challenge, and to your point, now, with COVID, I think folks are looking at it differently. Because I know for us, we have a lot of project teams who, now that they’re working from home, they want to connect to their customers systems or connect differently than they have before. So, I know we’ve put out a lot of communications about how to use your devices, and how to securely connect to things, but then we have to make a lot of decisions so that we’re not compromising Perspecta’s security. It’s that balance of security and getting our mission done, which also is revenue generating, but it does get back to supporting our customers in the mission, and we have to make sure that people can do their jobs, but we also have to make sure that they can do it securely.

Amy Howland:
So, I think the challenges are, in regards to COVID, you don’t know what’s going to happen at any given day. You could have a perfectly healthy person who might’ve been near somebody who has now tested positive and now that person has to quarantine, and then looking at, well was that person, a physical person on site that needed to help people, and so now we’re down resources. Yeah, I think the timing is certainly interesting and is posing a challenge to businesses in regards to how they’re going to keep going forward and just continue to hope that everyone is healthy and just work with backup plans for whatever the dynamics might bring.

Jonathan Stammler:
Yeah, I think the other challenge there is capacity. Before now, depending on the organization, not the entire workforce was remote, so to be able to support that staff full-time and securely is a challenge and you have to make different… there’s cost components to that of how much you spend on your network infrastructure or what cloud services are you procuring to meet those needs.

Erin Keating:
That’s interesting that you bring up costs because I know, to your point there, from my understanding with CMMC, there was already some concerns over what costs would be associated with bringing contractors into compliance with the CMMC and how the government would offset those costs. And to your point, there now is a bigger concern of much larger cost concerns of moving entire workforces remotely and having to bolster your security even beyond what you might’ve had before based on all of these remote devices and such. How much is that playing into how you’re responding? And you may not have this direct answer if you’re not on the bids themselves. Have you heard how much this is impacting the way pricing is even happening in the industry right now and what the government’s even starting to consider as far as offsets for those types of costs?

Jonathan Stammler:
I know the accreditation body is assessing that and they’re doing their pathfinder program with a subset of contractors to kind of assess the time it takes for these accreditations at the level one through five level and kind of get an idea of cost. I think what LMI has been trying to do and what I’ve been trying to do is tie these to LMI’s qualified pipeline, because at the end of the day it’s all relative. How many contracts can we not bid on because we’re not a certain level and that’s opportunity? And so trying to tie it to that so that we can get appropriated funds ahead of time so we are prepared versus trying to make it up after the fact. Because from time to time, “Oh, we’re not going to need to be this level,” but then a contract comes our way that we have to bid on and the company will want to be that level four, level five, so you have to be prepared for the winds to change.

Amy Howland:
Yeah. I’m working the same thing, and kind of earlier as I was talking about, making sure the business is aware. That’s absolutely it, is seeing what is coming out? What’s our pipeline going to be? What do we think their requirements are for contracts at what level and so getting those funds?

Amy Howland:
In regards to the charge backs, I did find that very interesting. I’ve had conversations with others but it hasn’t gone very far. I knew the government is saying that you can charge that back. Obviously, I think it would be a slow roll to recoup, if you will, because it’s going to be in the form of how you’re billing going forward and putting that in the indirect costs, but I don’t know what the movement is to actually make that happen. I think it sounds like a good process and admirable as to what DoD is trying to do, it’s just a matter of how the contractors are going to react to that and whether or not and how they’re going to take advantage.

Jonathan Stammler:
And there seem to be some discrepancy between the level three being an organizational assessment and then level four and five potentially being like a specific program, and so we’re waiting to see how that falls out from the chargeback perspective as well.

Amy Howland:
That is a great point. Yeah. I had a conversation this week about boundaries, and I think that’s going to be wonderful once the accreditation body comes out with some better guidance on the boundaries. I think it started out that it was organizational only and then that went into organizations and contracts, and so I think there’s some confusion as to how those boundaries are going to come into play. That’s a good point, Jonathan.

Erin Keating:
One thing we mentioned when Eric Crusius with Holland & Knight and I were doing a series on what the levels could come out as. So, I believe that some of it will be… Maybe it’s not at the complete discretion of the CEO’s, but he was erring on the side of potentially people setting a level higher than it needed to truly be to protect themselves.

Erin Keating:
With everything that’s going on right now, and Jonathan, this may be relevant or not, I haven’t read your full report, but LMI did do some reporting after the H1N1 pandemic to talk about what we’re not doing necessarily right and what we are doing right in being prepared for disasters like this. Have you been hearing anything in the industry about potentially people erring on the side of higher levels purely because this whole thing has thrown people off their game on what’s secure, what’s not secure and how to move forward, and does that start to strike fear into a lot of contractors on how they possibly get to higher and higher levels with different contracts that may not inherently warrant that level, but based on human dynamics and fear in the markets and everything, might push different contracts to that level?

Jonathan Stammler:
Yeah, that’s been a concern from once they started implementing [inaudible 00:16:50] and 800-171, for 800-171, they put out a suggestions appendix of how to solve controls, and we were having those get pasted in as you will do these things, and not all those things make sense depending on how security of your organization is structured. So, working through that with the contracts folks to get that worked out.

Jonathan Stammler:
From CMMC, it’s definitely a concern. In the industry, I’ve heard both sides. Some companies are like, “Well, we’re just going to do level five. We’re going to bite the bullet, spend the money and not have to worry about it after this.” And then others are, “Wow, that’s a huge lift, especially from a process maturity, staffing costs level, and to be able to do that by September is just not doable.” So, they’re looking at it a little bit differently. From one of the briefs from I think Katie Arrington, she mentioned that there was going to be an update to the DoD acquisition framework to kind of the guiding principles to help assess and apply the right CMMC level depending on the data in the contracts. I haven’t seen that specifically called out in the presentations, but it was kind of a voiceover, and so I’m interested in seeing that come out in the next couple months.

Jonathan Stammler:
I think something else that’ll add to calming those fears a little bit is the assessment guides for the different levels, because they need to standardize across the assessors. So, when the accreditation body reaches out, I think we’ll have a much higher comfort level of, “Well, we think we meet this control, but how are they going to assess it?” Because we may be off the mark, we may need to change 20% of our solution, etc.

Amy Howland:
Yeah, that’s a really good point. So, I think obviously for the past four years or so, three or four years, with self-attestation, it’s been up to the company to determine how to implement the controls. And obviously, NIST has come out with some more detailed guidance. And I think when the CMMC draft came out early on, it didn’t have the appendices that it has now. And so the appendices are definitely helpful and there’s some great examples in there, but sometimes it might not be exactly what you’re looking for for your particular company. And so yes, I’ve had lots of folks say that, “I can’t wait until the assessment guidance comes out so that we really know what their requirement is going to be,” because you don’t want to wait for the external auditor to come in and let you know how that control is interpreted because at that point, you might have a deficiency as opposed to getting ahead of it.

Erin Keating:
As far as subcontractors go, there’s been, at least in our previous conversations, some confusion or just a lack of clarity on if a subcontractor has to meet the same level of certification as the prime contractor based on what the subcontractor is doing. How are you communicating to your subcontractors to be prepared to service the contracts that you have based on levels for their particular responsibility?

Amy Howland:
So, I don’t think that’s known yet. That’s a good question. I think we’re providing them information regarding readiness because it comes down to whether they’re handling CUI or not. And I did want to actually add more to Jonathan’s point. That’s a concern I and many have had for a while in regards to what the government contracts are going to say, and so I think we’re all waiting, not just for what the prime levels are going to be, but then how that flows down to our subs. If you think about inventory that you have and you’re trying to assess criticality of your inventory, so you go to the business owners and you say, “Okay. How important is your system?” And if you happen to talk to the owner who runs the system, it’s very important. And you might say, “Well, what happens if it goes down for a day?” “Oh, that’s okay.” “What about two weeks?” “Oh, that’s okay too.” And at that point, is it really critical?

Amy Howland:
And so that’s where you need to establish some guidelines as to what does critical mean, and maybe it can be down all year, but there’s one day that it has to be up, and so obviously, that’s a different way of looking at it as long as it’s up that one day. But I sort of go back to that story that’s real a lot when I’m thinking about how our government counterparts are going to get the training. And I agree, Jonathan, I’ve heard that too. I feel like it was a while ago, and they keep talking about the assessor guidance and the assessment guidance. I’m very much hoping that our government customers are going to have that training so that they don’t tend to make the mistakes about what level is actually required.

Amy Howland:
I mean, there’s been some strong inputs out there about what’s critical infrastructure and what really is the level four, level five, and then in recent months, they keep narrowing down how many contracts might actually be at particular levels. So, you can kind of get a sense that not that they’re looking for less contracts to be at level four, level five, but that’s probably what the interpretation is. And so I think it’s going to be really important that what’s put to paper now is understood by the folks that are actually putting those requirements in place.

Erin Keating:
Anything to add, Jonathan?

Jonathan Stammler:
Just to add on that, yeah. I think we’re focusing on trying to get into the working groups so we can provide our voice as well. There’s other groups like the DevNet community who have been providing a voice to the accreditation body.

Erin Keating:
So, in speaking about how you’re looking at your technologies moving forward, how does automation play a role in this?

Jonathan Stammler:
I think automation is crucial, especially at the higher levels, but I think it’s very important at level three. It’s very unlikely CISOs are going to be able to double their staff, depending on the organization, to meet these needs, especially when it’s a moving target with the contracts. You don’t want to plus up and then have people sitting around or not being fully utilized. I think it’s also important especially to get through the accreditation, automating evidence. Some of these pieces of evidence, depending on the controls, take quite a bit of time to procure and show that evidence, especially over time and depending on how the auditor’s requesting information, whether they’re spot checking logs or tickets or reviewing configurations. So, I think automating that can save organizations a lot of time as we go through the assessments.

Jonathan Stammler:
I think the other thing that won’t be talked about right now but will be later is, if you have an incident, what happens to your CMMC accreditation? What’s that remediation period for you to be declared in good health and able to operate again? And that’s even more evidence and demonstration of your security posture. So, I think if you’re doing a manual process, one, you’re going to be prone to issues, you’re not going to be able to meet those process maturity requirements, and then being able to get remediated and back to that good state will be very, very difficult if you’re not automating where you can when you can.

Erin Keating:
Yeah, those are good points. I think automation is definitely going to be required at the higher maturity or it’s looked for more at the higher maturity levels and certainly can be implemented anywhere regardless of what level it is. But I think there are certain controls that are more prone to that. So, obviously, automate your session timeouts, things like that, and some of the technical controls can be automated. I think you’ve covered it from a tools and controls perspective, and one of the things that always comes to mind for me back when I was driving to the office and listening to all the commercials on the radio, you’ve got all these vendors and folks, and there’s a little bit of a difference.

Erin Keating:
I think there’s been some strong announcements recently, and I’ll put a little plug in again to remind folks that nobody is CMMC accredited right now and no vendors have the full guidance on how to get you there, but I think while automation of controls and some of these controls, especially looking at some of your logs, and I like what you said about the evidence, that’s a great point, that’s important, but there’s no silver bullet for CMMC. So, I just wanted to put that out there. You can’t automate CMMC. There are tools and vendors that will say that, “You just buy this tool and you’ll be CMMC compliant,” and I’m always a little bit loath to that. And there’s certainly some great vendors out there, there’s some great tools, but they’re not going to give you your physical security controls obviously when you implement that.

Erin Keating:
And so there’s a lot of things that you have to do, but I think you can’t automate compliance and you can’t automate maturity. So, those are the things that I think if you implement automation smartly, then you need to handle the rest of this stuff from a team process.

Jonathan Stammler:
I wholeheartedly agree with that, especially for some of this documentation and the business processes. Some of these security assessments before, a security team could kind of operate in their bubble and reach out to a couple of different pieces of the organization, depending on how it’s structured, to meet these accreditation standards. But with CMMC, it’s organizational-wide, so you definitely have to start building those relationships internally and try to build those guardrails to make sure that your policies and processes are being documented, that they’re being followed and tracked, and it’s not just a security team doing that, it’s your quality team, or contracts team, HR, etc.

Erin Keating:
So, before I ask what next steps are, how are you guys doing? I mean, surely, everyone has to understand that for any company out there, the CISOs, and the managed IT teams, the information systems, data compliance, everything, just period, is in high, high demand. From the very basics, I’m sure of just helping someone operate Zoom properly, to making sure that they have their VPNs and their proper credentials to log into the systems and everything. How are you all doing? And in the bigger scheme of everything that’s going on, the follow-on question there would be, what are your next steps? Because your life needs to be highly focused on CMMC in order for your organizations to be able to be ready to respond to bids and continue working with the Department of Defense, come, I think, September, but also the world’s just imploded for a moment here and you’re dealing with massive amounts of demands, I’m sure, on your teams. So, what would be your next steps to get your teams refocused back on CMMC while also having to manage these widely remote workforces and difficulties with getting contractors onto sites and things like that?

Erin Keating:
So, how are you doing and what are next steps?

Amy Howland:
I think we’re doing well. I’ve had a few conversations with the team or with friends and I think a lot of us are really fortunate to be doing what we’re doing. First of all, if you love cybersecurity, obviously it’s great, but so many of us are able to work remotely and not lose a minute of anything that’s going on, obviously, with Skype calls or Zoom calls and whether they’re in video or not video. I certainly don’t want to lessen the situation, but just from a pure team perspective, regardless of what’s going on in the world, I feel like from an OCIO perspective, our team hasn’t missed a beat because of all the connectivity and the ability to work from home. Obviously, folks who are in jobs where social distancing prohibits them from doing their job, I just think we’re all sort of thankful all the time that we can continue on.

Amy Howland:
But you were talking about… it’s funny, but setting up a Zoom call or whatever it is, those are the folks that are field services, right? Those are the folks who are in person who are needing to keep up with all the cleanliness requirements and the social distancing requirements and trying to come and show you how to use your particular tool while keeping away from you at the same time. And so there’s that or there’s that ability now to do things over the phone and to do things remotely. So, I’ve been on calls with the outside of even the CISO organization just with OCIO, with the rest of my peers in IT, and just sort of seeing how folks are shifting their responsibilities and how they can do things remotely, how folks who are supporting customers who may be can’t be… For the most part, I know a lot of folks that Perspecta are still able to support customers, but for folks who need to do something different for a moment or who might be one week on, one week off, how can they help within the organization to do things remotely?

Amy Howland:
So, next steps are going to be just continuing that process. But I think from my CMMC perspective, a lot of it is potentially a summary of the things we’ve talked about is, just keep watching the communications that are coming out from Katie Arrington about CMMC as the accreditation body stuff is coming out. I think there’s some expectations mid to end of April with some of that guidance. Keep watching for that.

Amy Howland:
Actually, what’s going to be interesting is seeing how many and which companies are able to go first, if you will, when the audits start. Obviously, with 300,000 contractors, I think the idea is that they’ll only get to a very small percentage, but then how does that tie to the contract? So, which contracts in 2020 and 2021 are going to actually have the CMMC requirements in them? And so I think it’s going to be a big watch and talking to your business development team and your teams that are onsite with the customers to listen for who’s coming out with RFPs and what requirements those are going to have. And then as you’re going forward for competes and recompetes, making sure that your teaming partners are with you, and unless you’ve had that guidance upfront, just really thinking through and assessing where you think those CMMC levels need to be both for yourself and for your peers and your partners and your subs, to make sure that when it’s time to go, that your team is ready.

Jonathan Stammler:
Yeah. I think from the remote standpoint, our team in conjunction with the CIO’s team has done a great job of supporting remote. I think right now my focus has been communication and transparency, to making sure those folks have the tools they need to be able to communicate fully remote and getting them ramped up and help them understand what they can and can’t do, and then working with clients and their security teams to see what we can provide in the interim to bridge any security gaps or concerns so people can stay billable and continue to work regardless of what they were doing before the stay at home order.

Jonathan Stammler:
From a CMMC perspective, largely the same as Amy. We’re looking closely at the accreditation body, trying to get on the working groups, getting a couple of folks in there so we can better understand and have a voice on how the assessments are going to go, really understand the process. It will be interesting to see who the assessors are and how many there are, what you can do to set up yourself for success to get in that line as soon as possible, because I think we’re all anxious, regardless of where we are today, to get that date set so that we can be comfortable and be able to tell our leadership that we’re going to go through the audit at this date, so contracts moving forward is not going to be an issue.

Jonathan Stammler:
Same thing with our subs. Still communicating, assessing based on the data they’re handling today and what we’re working on with them, so prioritize our focus. The ones that are handling more sensitive data to make sure they’re going to be able to meet the requirements, and then just providing awareness to the other subs who may not be as familiar, and just slowly bring everybody up as the accreditation body and DoD release more information.

Erin Keating:
Great. Well, I know you guys have very busy lives right now with everything that’s going on, on top of just what you’re normally having to work through on a daily basis, so we sincerely at NeoSystems appreciate your willingness to participate in these conversations and to help keep our listeners updated on how everyone’s doing, where this whole process is moving towards, and how your companies specifically are dealing with the challenges ahead. So, thank you guys both so much for being here today and we hope that in a couple of months we can be doing this in person and we can all be that much further along in the CMMC process. We hope we get to reserve the right to come back to you guys in the next few weeks if we have more questions and we just wish you both well and to stay safe and healthy. Thanks so much for being with us.

Amy Howland:
Thank you.

Jonathan Stammler:
Absolutely. Thanks.

Erin Keating:
The NeoSystems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors? Smart organizations are paying more attention to their strategic back office operations. NeoSystems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and an advanced technical infrastructure, from software hosting and security solutions to managed accounting services, NeoSystems’s custom-built solutions and services that are tailored to fit your organization’s needs. Check us out on the Internet at NeoSystemsCorp.com, that’s NeoSystemsCorp.com.

Related Posts

Software & Industry Partners