Podcast Season 4 Episode 3: WashTech CISOs Speak: Alicia Lynch with SAIC
Alicia Lynch, the VP and CISO at SAIC, joins us on this episode of NeoCast to discuss how SAIC is preparing for the upcoming certification deadlines of the CMMC. As SAIC has a slew of third party vendors in their supply chain, she discusses how it’s mutually beneficial for large prime contractors to offer assistance for smaller companies to gain the proper level of certification.
Transcript
Erin Keating:
Hello everybody and welcome to our third episode in this series we’re calling WashTech CISOs Speak. We’re so excited to have Alicia Lynch with us today with SAIC. Alicia joined the SAIC team in April of 2018 as the Vice President Chief Information Security Officer. She brought 30 years of experience with the Department of Defense, the defense contracting community, and the private sector. Alicia retired as a Colonel from the US Army in 2012, where she served both as an intelligence officer and a cyber specialist. With these qualifications, she served in every echelon from platoon to national, while leading units from team size to commanding a brigade. Since then, she’s leveraged her technical experience in commercial executive level positions focused on cybersecurity. Recently those titles have been Deputy Chief Information Security Officer to Centra Federal Services, VP of Enterprise Solutions at a cyber startup and Director of Governance Risk and Compliance at BAE systems.
Erin Keating:
Alicia holds an MBA from the University of Maryland, Robert H. Smith School of Business, a CIO program certificate from the National Defense University, and a BA from the State University of New York. She’s also maintained ISC2 certified information systems security professional certification.
Erin Keating:
Without further ado, let’s bring Alicia on.
Erin Keating:
We at Neo systems have been concentrating on a lot of educational content around the cybersecurity maturity model certification and we know that this is hitting over 300,000 contractors over the course of, I think it’s maybe four years according to Katie Arrington and Nicole Dean who we’ve spoken with before, but there still are several primes that need to be up and ready by September as well as a lot of subcontractors that are working on contracts with the DOD. We’re just curious about what you’re seeing that’s, trending right now for SSOs as you think about CMMC, and as your position as a prime contractor, as well as how you’re communicating with your subcontractors, could you tell us a little bit about what experience you’re going through right now with that?
Alicia Lynch:
I think what’s been a benefit to SAIC is, that we were one of the first companies that were contacted to do a DCMA assessment last year and that was an assessment that DCMA did around the 110 NIST 800-171 controls. And that drill really prepared us well for the CMMC coming into play right behind that. So I take that as, gave us an opportunity to get a little bouncing, get ready to prep for the CMMC. SAIC did really well on that assessment and we’re going into the CMMC feeling pretty confident that the additional, you know, 60 plus controls that we’re going to need to implement to get to the level four or five is going to be more attainable because of what we did with DCMA last year.
Alicia Lynch:
And we’ve already crosswalked the new CMMC controls against our environment to see where we might have some gaps and we’ve identified those and we’re already working on that. So I’m very confident we’re going to do well with the CMMC and I’m actually very supportive of the government doing that. I think it’s good for the whole, not just the industry for us to use the basic cyber hygiene controls and practices.
Erin Keating:
So then knowing that you’re a prime contractor and there may be a certain companies within your supply chain of servicing some of those contracts. How has SAIC been approaching contacting all of the subcontractors to be sure that not only are you taking care of the level of certification you need to go for, how are you helping the subcontractors also attain that level of certification?
Alicia Lynch:
I think what’s great about SAIC is that we’ve had good processes in place from way before I got here. So SAIC is a pretty well known company and has been doing this for a lot of decades. What’s good is that I’ve walked into an opportunity where we have good processes in place around our supply chain. We’ve always slowed down whatever D-farg controls or other enhanced cyber controls that we’ve gotten in our contracts to our subs. So that is just kind of an SOP thing.
Alicia Lynch:
As far as how do we assist our suppliers. We do prioritization type of effort at SAIC around the companies that we know have the clauses that we flow down to them and also the companies we consider tier one providers and we make sure that we … there’s a process we bring them into the company with as a supplier. It is self attestation. They fill out the forms and do basically like a 801-71B type of assessment.
Alicia Lynch:
And then the ones that we are particularly critical of are the ones that we know handle, that we do flow QE down to and handle customer data. So we track that and we make sure that we do check-ins on them and verify that they can actually handle the information that we’re flowing down to them or the environment that they’re working in that have that QE are protected to the standards that they need to be protected. And we’ve put an additional investment at SAIC into a cyber assistance team. We call it our CAT team. And we, if necessary, send that CAT team out to tier one suppliers or even a supplier that might be a lower tier, but provide the critical component of something that we need and we make sure if they have CAD drawings or things like that, we make sure that they are securing the data to the standards that they need to be securing them to.
Alicia Lynch:
So SAIC puts a lot of investment in making sure that we protect the customer data even as we flow it down to our supply chain.
Erin Keating:
You know, it comes to mind that given the situation that we’re in right now, the DOD took a jumpstart on this as they usually do, around these types of topics. But it seems like, to your point, this type of cyber hygiene is relevant for all industries and it sounds great that SAIC is seeing this as an opportunity to institute these types of gates on the cyber security across the company, across different areas of business. Do you foresee this becoming more broadly accepted or put into place across the government market at least?
Alicia Lynch:
I do. I think that, generally when things start to happen in the defense space, it flows on over to the federal side as well. So I do see it happening. And again, it’s just good practice, so it doesn’t make sense if we don’t … Even on into the commercial spaces, I have friends who are CISIS of large banking institutions and things like that. And they’re not required to use NIST 800-171 controls, but they do because it is a good best practice. So I think it’s going to proliferate more than just on the federal side, but into the commercial space as well.
Erin Keating:
Absolutely. And the good thing is that a lot of people are now really seeing why that’s so important. So I think if there are some silver linings to the whole crisis that we’re in right now, is that more people are more in tune with why we have certain controls in place and why that they should be in fact, in place much more prevalently across all the different service areas.I’m just curious, have you run into any challenges related to technologies?
Alicia Lynch:
The challenges with technologies are usually having enough money to get them. So I think that there’s just a lot of technologies in each space. And then how do you sift through the ones that are the ideal for you? There’s a lot of great companies out there like Gartner and others like them that have done all the work with their magic quadrants for CISOs and others to help figure out where’s the product placed at in the market and for companies as large as ours, which do we need to use? So I don’t really see issues with them other than a lot of vendors are foreign owned companies. And in this space that we’re in, under this side of the house, we have a tendency not to lean towards those type of products. We go more for the US, made in America products.
Alicia Lynch:
So I would say that’s probably … there’s good products out there, built in other countries, but we have to have a good process in place to determine if we could actually use the products and that they’re safe products. So I think that’s probably the hardest one I would say that we deal with. For the most part, I think in the cyberspace, the only way that we can really protect ourselves is deployment of products, the cyber stack. What’s most important is that you have an employee workforce that understands that they need to be very cyber savvy and they’re their first line of defense and the practices they use. But about the products, I think that I’m happy with the solutions that we use in SAIC.
Erin Keating:
We’ve done a couple of different series with Neo Systems, some of it being on workflow automation and automation tools. And to your point mentioning workforce, it always still comes back to the people. It’s really critical for some of these smaller contractors and subcontractors within the supply chain to potentially rely on more technologies or more automation in order to become certified, but it still a lot to do with the workforce. We’re actually excited doing an entire series on workforce development. So that’s kind of exciting to look forward to.
Erin Keating:
So what are your next steps as far as getting prepared for this? We know that auditors aren’t quite yet on the market and then it will be somewhat of a mad rush to get everyone up to certification in time for the fall season. What are you working on most importantly and critically right now?
Alicia Lynch:
So I think I mentioned before that my governance risk compliance team has already crosswalked the CMMC controls to our environment. So we’ve already identified our gaps and we’re working with the different functionals who own those controls in the IT organization to start to put together the plan on how we’re going to enable the new controls that we need to enable across our environment.
Alicia Lynch:
Something that we’ve been working on for the last year is put the investment into a cyber threat and intelligence and integration center being built actually right now. And so I’m looking really forward to showcasing our CTIC capability, which is it’s going to be the opportunity for us to show the CMMC assessors when they come in, how we take it to the four or five level around the controls related to incident response and intelligence integration, threat hunting and things like that that are necessary to get it to the highest level that we want to get to.
Erin Keating:
Very exciting. Thank you so much Alicia, for taking the time with us today. Are there any parting pieces of advice that you might have for potentially subcontractors or smaller contractors out there that you know, obviously, the prioritization of certification is going to be determined shortly, but everyone could benefit from a company of your size and someone with your expertise. What can they focus on? What are your parting thoughts?
Alicia Lynch:
I would say that the smaller companies definitely have anxiety about, you look at the 110 controls and then the CMMC, their additional 60 you know, one controls. It’s certainly would give a small company anxiety, but there are a lot of opportunities to get compliant by going to a cloud environment and things like that that might not be so costly as if they had to put those controls on in an environment that’s very small for their size. So I would say just dial down the anxiety and look at it as an opportunity to make what they do secure and safe and whoever their primes are, they have channels most likely, that they can reach into to get assistance. And I know that whenever we have any subs or third parties that we haven’t reached out to first, they do reach into us and ask for assistance. So I say just ask for help and your primes are probably happy to provide you any support that they can provide you.
Alicia Lynch:
Other than that, I would say that it’s the new way of doing business. Probably, the thing that I’ve seen most concerning is that there’s so much resistance to the controls and to trying to secure environments and it’s the new future that we’re going to be living in. And I’d say just embrace it and do the best you can.
Erin Keating:
Yeah. And to your point, it’s mutually beneficial for the primes as well as the subcontractors. So great advice. Go ahead and reach out to some of those larger contractors and they are more than likely have the channels and are willing to work with you because it’s mutually beneficial for them to have the supply chain that is up to certification as well.
Erin Keating:
We thank you so much for your time. We know you’re extraordinarily busy in this time and we look forward to catching up with you, I think it’s going to be on April 28th, for a larger panel potentially. And thank you so much for connecting with us.
Alicia Lynch:
Yeah, thanks Erin.