Kaizen Approach, Inc.’s Post

𝐇𝐨𝐰 𝐥𝐨𝐧𝐠 𝐝𝐨𝐞𝐬 𝐢𝐭 𝐭𝐚𝐤𝐞 𝐚 𝐜𝐨𝐦𝐩𝐚𝐧𝐲 𝐭𝐨 𝐠𝐨 𝐛𝐚𝐧𝐤𝐫𝐮𝐩𝐭 𝐰𝐡𝐞𝐧 𝐭𝐡𝐞𝐲 𝐜𝐚𝐧'𝐭 𝐰𝐢𝐧 𝐰𝐨𝐫𝐤? One year? Two? Three? Let me tell you a story about how a system of perverse incentives caused our current cybersecurity situation in the Defense Industrial Base. Back in 2017 (six years ago), new and renewing DoD contracts started including the DFARS 252.204-7012 clause. The intent of adding the 7012 clause to new contracts was to get defense contractors to increase their bid to account for increased cybersecurity costs (typically double or triple what a commercial company spends on IT). So in 2018, a new contract comes out for bid. The contract asks for parts which costs roughly $1m to create. The contract also asks for cybersecurity, which would require an additional $500k to comply with. Ten companies bid on this contract. Five companies carefully read the contract, see the 7012 clause, contact a cybersecurity consultant to understand what it means, and adjust their bid from $1m to $1.5m. The other five companies, for various reasons, disregard the 7012 clause. They bid only based on the cost to manufacture, which is $1m. Who wins that contract? Who wins the next contract? And the one after that? 𝐇𝐨𝐰 𝐥𝐨𝐧𝐠 𝐝𝐨𝐞𝐬 𝐢𝐭 𝐭𝐚𝐤𝐞 𝐚 𝐜𝐨𝐦𝐩𝐚𝐧𝐲 𝐭𝐨 𝐠𝐨 𝐛𝐚𝐧𝐤𝐫𝐮𝐩𝐭 𝐰𝐡𝐞𝐧 𝐭𝐡𝐞𝐲 𝐜𝐚𝐧'𝐭 𝐰𝐢𝐧 𝐰𝐨𝐫𝐤? Since 2017, because of this system of perverse incentives, it is my opinion that we've driven almost every compliant company out of the DIB. Even today, with CMMC looming over us, the companies that are able to bid low are 𝘴𝘵𝘪𝘭𝘭 𝘸𝘪𝘯𝘯𝘪𝘯𝘨 𝘵𝘩𝘦 𝘸𝘰𝘳𝘬!  I can't even fault contractors for dragging their feet on cybersecurity. If they didn't have that attitude, they would be GONE. I have to give major respect to Katie Arrington, Stacy Bostjanick, and DoD A&S leader Ellen Lord for identifying the solution to this problem: mandatory verification of compliance as a prerequisite for contract award. This is the solution that will fix the perverse system which makes compliant defense contractors too expensive to win the work. We should be rewarding them, not driving them to bankruptcy. -------- My company, Kieri Solutions, an Authorized C3PAO, helps defense contractors assess their cybersecurity compliance. We can perform joint assessments in coordination with DoD now, and are building our reservation list for independent CMMC assessments in the future.

Now a BRIEF 1pg REVIEW of the CMMC framework a Cybersecurity guide on how we can all do better ( both DOD contractors and non-DOD patriots 🫡) to implement a SOCIAL CAPITALUST PLAN (SCP) to Secure Contain & Protect our nation, our enterprises, our communities and to enhance our LEADERSHIP by leading by example. Level 1 FCI - 15 basic requirements (cost <$10K ) Level 2 CUI - 110 controls (~480benchmark) (<$150K) Level 3 CSI - 130 controls ($2M)

The President’s Executive Order (issued May 2021) on Improving the Nation’s Cybersecurity focuses on Federal Civilian Executive Branch agencies, and it also looks to help secure the federal supply chain. Commercial entities may not be entirely exempt from the Executive Order’s requirements. The Executive Order also brought Zero Trust to the forefront of cybersecurity standards. Watch our video as Brian Hajost breaks down what vendors need to know: https://hubs.ly/Q02hKBVk0

Check out SecureWorld Manufacturing virtual conference today. My talk is about Incident Response in OT environments, and some practical lessons learned.

I am seeing an uptick in companies pitching their wares to SoundWay over the past few weeks. The focus, companies that think they have the golden ticket for a GRC tool or enabling AI to do what a CCA can do in a fraction of the time. If we table what I consider "absurd", as a businessperson I have to keep an open mind to the art of the possible. Having said that, if these solutions are software driven and these vendors are not familiar with nor capable of demonstrating conformance with the OMB mandate of NIST Guidance Doc. 800-218 (SSDF), why would a C3PAO or for that matter --- ANY mature cybersecurity company accept that risk?? To those selling these solutions, I applaud your efforts but never come to me and advise "we are a cybersec company and we understand security" when you cannot even demonstrate a minimum baseline of what industry should accept from you. Amira Armond Greg McVerry Michael Dempsey Derek Kernus Ryan B. Koren Wise Kyle Lai Jacob Horne Michael A. Echols MBA CISSP Bill Sieglein RJ Williams Joy Belinda Beland QTE, CISM, CMMC PI CCA Tony Buenger Tony Sager

Recently I had the pleasure of sitting down with Rick from Cogent Growth Partners, LLC that looks to invest in cyber businesses. I was also reading about how CISOs such as Erik Decker are looking to articulate, understand and drive value based on various financial accounting standards such as GAAP. Ultimately, both financial standards such as and security standards help organizations build value! Some key takeaways: 🔥 Security certifications can help a business increase value 🔥 Proper implementation of GAAP account is critical to a business P.S. If you haven't connected with Rick, be sure to, he is a source of great information!

At Alloy, security is a critical part of our product offering. This is why we hold a SOC2 Type II certification to demonstrate that our systems adhere to the highest security standards. Learn more about the SOC2 certification and what it means for us. https://hubs.ly/Q02zFxMz0

I know I have tales about this before, but have you actually table toped this sinario? Seattle Library is still offline from a ransomware attack since May. CDK Global is impacting car dealerships on an massive ransomware attack where the threat actors have taken them down twice and reports of CDK Global clients are broadly reported. Now take a good look at your business, if your business was impacted by your suppliers (a.k.a. Supply chain), how would you keep running your business? There is no single correct answer, as it this will be different from business to business.

Understanding NIST 800-171 levels 1 and 2 is essential for securing sensitive government information. Let's explore the nuances and what they mean for your business. https://lnkd.in/gucpQXSq #NIST800171 #DataSecurity