The Department of Defense will require contractors’ and subcontractors’ certifications and security protection. In this episode, Nick Espinosa, an expert in Cybersecurity and Network Infrastructure, unpacks the cybersecurity blueprint to help establish security to mitigate breaches. He explains the value of the Cybersecurity Maturity Model Certification. He also dives into hiring an outside expert to help you in cybersecurity. Nick discusses when you can get an internal person handling cybersecurity in your construction company. Tune in to this episode with Nick Espinosa to find out more!
More on the CMMC work Nick’s done for ELECTRI and JGRF: https://electri.org/product/a-cmmc-overview/
Buy the one book every construction leader must read: https://www.amazon.com/Construction-Genius-Effective-Hands-Leadership/dp/B0BHTRDY1T/
Own a construction company, need to be a better leader? Contact Eric for a chat about how he can help: https://10minutes.youcanbook.me/
—
Watch the episode here
Listen to the podcast here
The Cybersecurity Blueprint: Unpacking CMMC Certification And Choosing Your Cybersecurity Team With Nick Espinosa
It is a great pleasure to have back on the show, Nick Espinosa. Nick is an expert in cybersecurity. Check out Episode 210 for his insights into how to protect your company from hackers. We’re going to be talking about the Cybersecurity Maturity Model Certification. This impacts you, whether you realize it or not. It is a certification that the Department Of Defense is going to be requiring for contractors and subcontractors.
You might say, “I don’t work with the DOD,” but that certification and that level of security protection in the cyber world is going to be trickling out throughout all of the Federal government, down to the state and local levels. If you do any work in those areas at all, you’re going to need that CMMC or Cybersecurity Maturity Model Certification at some point, and that’s why you should read this episode.
In addition, Nick and I explore the things that you should be looking for when you are hiring an outside expert to help you with your cybersecurity and when you should get an internal person to handle cybersecurity as your company grows. You’re going to get three things. 1) All about the CMMC, 2) How to pick an outside vendor to help you with your cybersecurity, and 3) When to get an internal person handling cybersecurity in your construction company. It’s going to be practical and straightforward. The great thing about Nick is that he’s very articulate to the point. He knows what he’s talking about. Enjoy my conversation with Nick.
—
Nick, welcome back to the show.
That’s for having me again. It’s good to be here.
You joined the select group of second-time visitors. There’s another group of three-time visitors. We’ve never had a fourth-time visitor yet, but thank you much for coming back on. I know you’re very busy.
It is my pleasure. My question is, if I hit five times, is there some kind of jacket that I get?
It’s funny. I have an eight-year-old. He’s a budding entrepreneur. He wanted to start a sweater printing business. I said, “Why don’t we start a Construction Genius store where we take the logo and do all the sweaters and the hats?” He was like, “Let’s do the Construction Genius Store.” We will make that happen for you.
No worries. I appreciate it. It might get stuck on the back of my wall.
I’m bringing you back on because you are an expert in cybersecurity. It’s a massive issue. I know last time we talked about a huge construction company that took a massive hit having to deal with cybersecurity. I’m here to dive into your expertise in terms of the Cybersecurity Maturity Model Certification. Please tell the audience what that is.
The CMMC or Cybersecurity Maturity Model Certification is essentially coming out of the US Department of Defense. We’ve had a huge push overarchingly in the entire world of cybersecurity in the last years for vendor supply management, basically in securing your supply chain because when you go through all these data breaches, every week there’s some kind of massive data breach. I literally do a Breaches of the Week video every Sunday. It keeps getting longer. Half of those are more are we didn’t get breached, but we outsourced some aspects of our business, and now they got breached, and we have to declare. The Department Of Defense is no different. They have a defense industrial base, which is 300,000-plus private corporations that essentially are catering to whatever the Department Of Defense needs.
If they need a warplane built, they’re going to get it. If they need ammunition, somebody’s going to get that. You’ve got on top of that construction. You need the Marine barracks built, landing strips for your Air Force, etc. God knows what the Space Force needs. The Department Of Defense came out and said, “We are sick and tired of having China, Russia, and all of our opponents eat our technological lunch every day.”
The DOD is not getting hacked, but the defense industrial base is getting hacked because while they’ve always had a standard to say, “Are you doing security?” everybody could say, “We’re doing it. We’re fine,” and then everybody gets hacked. Now they said, “No more.” Back in 2020, they released the original CMMC 1.0, which was an utter hot mess, but it got it down the road. It signaled the entire defense industrial base.
The DOD is no longer playing around, and you are going to have to get a third-party certification for most cases if you want to handle what is called CUI or Controlled Unclassified Information. That would be the schematics of the marine barracks. If you’re that pipe fitter, you’re that electrician, AEC, MEP, or take your construction acronym pick, and you’re working on that marine barracks, now you’re handling CUI.
Now you’re handling something that they don’t want another intelligence agency to understand where to put the cameras on the microphones. They are forcing this down on the entire defense industrial base. By virtue of that, this is 2023. Now we are three years into this. This is when a lot of us are starting to come alive. It’s going to be a huge issue. If you’re now learning about this here on this episode, you are officially behind.
Some more details, then. Break down very simply. Give it to me because I’m a simple guy. Give me the 5th or 10th-grade level of what this is all about.
Essentially, what this is is that you’re working in the defense industrial base for the Department Of Defense. You might not be a prime contractor. You may never go to the DOD directly, but that large GC that has the contract to build the marine barracks is flowing down work to the subcontractors, mechanical, electrical, plumbing, take your pick.
By virtue of that, everybody that handles that information essentially needs to have a certification or at least an attestation or a waiver to work on that job. If you do not have any one of those things by law, you cannot work on that job, which means you could potentially, if you’re a sub, lose the most favored status with your GC because your competitor can do it and because they have the certification. This is a huge thing that a lot of construction corporations have no idea how incredibly important this is going to be as it comes to fruition.
By virtue of that, it’s a standard process for operating now as we are looking at the Department Of Defense. Eventually, this is going to the entire federal government, and then it’s being pushed to state and local as well. By virtue of that, even if you’re not working with DOD and you’re like, “I work with the local municipal dog catcher to build kennels,” at some point, there’s going to be a Cybersecurity Maturity Certification that you’re going to have to get. It may not be as stringent, but this is coming for everyone that works with any level of government. That’s the big thing to understand.
That makes it clearer to me that it’s not just the DOD, but it’s going to be everyone eventually. What are those three levels of the CMMC, the 2.0? Where are we at the moment with that?
There was 1.0 when it first came out. That was five levels that you had to go to. If you were that GC or that subcontractor, level three is where over 90% of a defense industrial base is going. They streamline that in 2.0. Now, there are three levels. The first level remains the same, basic cyber hygiene, but that doesn’t allow you to handle that controlled unclassified information. Now, 90% of the defense industrial base, AKA, the readers here, are going to level two.
Level two is now considered good cyber hygiene. Level three is for the big boys like Lockheed, the space contractors, aerospace, and that kind of thing. If you’re a GC, sub, MEP, AEC, etc., level two is what you’re targeting, and here we are. It’s 110 security controls with policies, procedures, evidence, and everything that is required. It’s going to be, for some, a heavy lift. For others, you might be halfway down the road or more, in which case, finish those projects, secure yourself, get the paperwork in order, and you can start looking at getting a certification. It takes time, money, energy, effort, and all those things.
Let’s say I’m a contractor. I know this is coming down the pipeline, haven’t done anything yet, or maybe it’s the first time I’m reading about it. Give us very quickly some first steps that I can take to get to at least that level two.
The first thing that you should do is indicate to the federal government that you are interested in working with the defense industrial base and the federal government as well. You can sign up for what is called the SPRS. This is the Supplier Performance Risk System that the DOD has. You’re supplying your CAGE codes from the US government to say, “I am contractor X. I’m interested in going down this road.”
You do a self-score out of the 110 controls. Are you rocking it out or not? I will give you a caveat on that. Some of the early advice that was given to a lot of companies out there was to score yourself as 110. No matter how bad you are, you could be one. Put everything in what is called POAM mode or Plan of Action and Milestones. Meaning, “We’ve got 90 controls to go, but we’re going to get them done in the next year.” The government then went back and started looking at companies for fraud.
They’re not doing that. Be honest with that score. If you’re at 40 out of 110, you’re at 40. If you’re at 109, you’re at 109. Be honest with that. What you’re doing is you’re signaling that you are going down that road. From there, I highly recommend getting an overview assessment based on the CMMC standard or the NIST standard, 80, which is what CMMC is based on. That will give you a roadmap to understand, “Out of the 110 things, here are the 80 things I’ve got to do. We’re going to prioritize the big rock things, get those done, and the little things will fall into place.” No project like this should take more than 8 fiscal quarters or 2 years. That’s beyond important because technology is rapidly changing.
Also, understand that these rules, because they’ve been submitted, they’re going to go online somewhere between late 2023 and early 2024. It is originally going to be May. That’s being pushed back, which gives you some breathing room, but also understand if you’re starting down this road now, you’re probably behind your competitors. There are plenty of construction companies out there that are already doing this and started back in 2020 that are almost there or are there. This is a huge thing that we need to understand. We’ve got to get moving on this. It’s beyond important.
Let’s go back to 110 security controls. What are the big rocks in those 110 security controls?
I will start with where a lot of corporations or organizations fall down we have seen historically. If you’re looking at the NIST framework, there are 22 categories at the high level, and those are the ones that have all the little controls underneath it. It usually starts with things like asset management. Do you know where all of your computers, tablets, IoT devices, phones, etc., are?
If you do not have total control of your asset management and can prove it, then how do you know your stuff is protected? How do you know it’s not being stolen? How do you know it’s up to code? We start with those kinds of things. We’re also looking at identifying risks to the organization. Do you have a risk management strategy? Have you done a risk assessment of yourself? What happens if you get ransomware? What happens if a tornado hits? What happens if an employee decides to walk away from your prospects list and go to your competitor?
These are things that we have to quantify as an organization and figure out ways, “Do we accept this risk because there’s nothing we can do about it? Is there something we can fix? Can we transfer it to a third party?” These are things that we have to understand. There are other things like access control. Does everybody have a unique username and password on your network, or are twenty guys in your shipping department all logging into the computer as shipping, and then they get ransomware, and now you got twenty guys pointing the finger at each other? These are things that we have to look at. On top of it, it’s data security. Everybody thinks cybersecurity is your Firewall, antivirus, and all that stuff, and it is. That’s part of it, but that’s data security.
Everybody thinks cybersecurity is your firewall, antivirus, and all that stuff. That's part of it, but that's just data security. Click To TweetThere’s contingency planning. How are you handling a disaster? Do you have an incident response? How are you maintaining your network? How are you maintaining your defensive stuff? There are a lot of different things that go into this, but if you’re starting down this road, this is why we start with an assessment because if you start plugging these holes, all you’re doing is playing whack-a-mole and you’re going to miss things by the time you get to the audit, then you’re going to have to be scrambling to make up that time or fix something that you should have fixed right out of the gate.
—
This a quick break to remind you about my book, Construction Genius: Effective, Hands-On, Practical, Simple, No-BS Leadership, Strategy, Sales, and Marketing Advice For Construction Companies. You may ask, “Where did you get that title?” I got it from one of my clients. He and a number of his executives went through a training program with me, a leadership development program. I asked for his feedback, and he said, “Do you know what I like about your training? It’s simple, effective, and no BS.” If that’s the kind of information that appeals to you, go out and buy my book. Get it for you, for the executives in your company, and read it together. Start a little book club where, once a month, you get together for 30 or 40 minutes, and you say, “We’ve read 3 or 4 chapters in the book.”
There are twelve chapters. You can do it in about 3 months if you take 4 chapters a month and have a discussion, “What are we going to do to use this information in our construction company?” If you do that over the three months, what you’ll do is not only get a ton of great information, but you’ll share it with one another. You’ll build team strength and cohesion. It will have a massive positive impact on your construction company. Whether it’s the paperback, the hardback, or the Audible, you can get it on Amazon. Go purchase your copies, and I promise you it will be a tremendous refreshment for you and your team.
—
For the audience, what I’d like to do is refer you as well to Episode 210 when Nick came on. We got into a lot of detail in terms of specific strategies to protect your business from hacks, phishing, and fraud. Nick, you work with a lot of construction companies helping them with these types of issues. I know that many of the contractors who are reading this don’t necessarily have their own in-house expert. They may have someone who’s their head of IT or something like that, but they’re not a cybersecurity expert. I know this may sound like a slightly self-serving question, but what I’d like you to do is give the audience some brass tax advice as to what they should be looking for in an outside vendor when they’re selecting someone to help them with cybersecurity.
This is an excellent question and a very important point. It’s something that I talk about all the time. IT is not cybersecurity. I do not go to my podiatrist for brain surgery, and I’m not going to my neurosurgeon for footwork. I like to both walk and think. We specialize like anybody else. If you’re a pipe fitter, do you know how to run electrical? Probably not. There are two different disciplines there. By virtue of that, understand the differences, but also understand the capabilities of outsourced IT or internal IT as well. There are a lot of things that we dovetail with that go hand in hand. I love my IT people. I can set my watch to them. They keep the lights on, keep the maintenance running and the infrastructure up. Cybersecurity is the shield that defends that.
When you are looking at getting an MSP, let’s say you’re having to outsource, that’s one of the things that we help organizations with. We help the labor union do that and find a new outsourced MSP. It is to understand that all of them are going to come with the same thing. We’re going to be fast, friendly, and responsive. If there’s an issue, we’ll be their five-alarm-fire kind of thing. They’re all going to give you those kinds of guarantees. They’re all going to have those written into their contracts. What separates good from great or horrible from great is the products that they sell. That’s your first stop.
What separates “horrible” from “great” is the products they sell. That's your first stop. Click To TweetIf you have mid-range products or they are rather selling you mid-range products as opposed to enterprise level, let’s say firewalls, which is a very easy example, you’ve got these very mid-range products out there like WatchGuard, SonicWall, Meraki, and a whole bunch of others, and they’re not selling you or they don’t have the ability to run things like Palo Alto Networks firewalls, which is the same firewall that DOD uses for example, that’s a huge gap because it shows they’re not investing the time and energy in training to move up to more advanced products. That’s something that we have to understand.
I’ll give you the perfect example. With that labor union, we were looking at 29 different MSPs or outsourced IT in their area. We whittled that down to five purely based on product, then we have other criteria that we interviewed for. Another one that we also look at, too, is the certifications of the organization, not necessarily the certifications of the individual.
Do they have a SOC 2 certification as a company? Do they have an ISO certification as a company? These are things that they should be moving towards. Even if they don’t have it, if they’re on that road, that’s also a good sign as well. For example, in my company, we get this 800-171. It’s the same standard as CMMC, and we’ve been doing that for many years because I’m an old NIST guy. I come from that background.
By virtue of that, we can attest to that as a company, “Can your MSP do that?” If they can’t, that is another tell that maybe they’re not handling your data. Maybe if you have to declare a data breach, it’s not you getting breached. It’s your IT company. We went through a rash of thousands of IT companies getting hit because of a low to mid-range product that got compromised by Russian hackers. You got to practice what you preach here.
It is the types of products that your provider is selling and the certifications that the provider has. Help me in this way because I’m not much concerned about how much I’m supposed to pay. What I’m concerned about is how I’m paying. If I’m looking to upgrade, should I be expecting a chunk upfront and then ongoing payments? What should be my expectation going in?
Most models now are kind of the pay monthly-as-you-go model in the sense that you’re going to sign up for Office 365, and you’re paying Microsoft month to month. You can buy a year upfront. They prefer that, but a lot of those are ongoing payments. When you’re looking at outsourced third-party IT, odds are you’re going to be paying them a flat rate per month for specific things. You’re going to have monitoring agents on your computers to make sure your computers are up to date. It probably ties into your threat defense on the computer.
If we get a virus, it’s going to alert them. Those are pretty standard things these days. You pay monthly for that. When you’re looking at things like enterprise-level technology, if you’re looking at endpoint detection, which is the agent that replaces antivirus on all your computers, those usually are month to month. When you’re looking at firewalls, you’re usually buying the firewall outright, and then you’re buying a license for anywhere from 1 to 3 years. In three years, you might have to go and renew that license or buy something new, depending on the model you have, those kinds of things.
It’s hit or miss, but most outsourced IT run on the monthly recurring revenue model, meaning, “You’ve got 100 computers I need to secure. I’ve got 100 agents, antivirus, EDR, and this.” You’re paying $4,000 a month just for that, plus our service package. Now you’re up to $6,000 a month, and that covers everything. Some of them will say, “It’s more money for more service in terms of if we have to respond.” Others will say it’s a flat rate no matter what. We’re taking the risk, and they usually build the risk dollars in. Usually, you’re going to have monthly recurring charges, and you might have some that you have to renew annually or every few years.
What are some red flags that I need to look for when I’ve picked someone, I’ve invested some time in money, and you know what it’s like for us? We invest money, and the sunk cost fallacy comes in. I’ve sunk some costs in, but I’m beginning to suspect that my provider is not doing what they should be doing. Maybe they’re blowing smoke a little bit, or their service isn’t up to speed. What are those red flags that I need to watch for that are going to bite me if I don’t pay attention?
Right out of the gate before you sign, if anybody comes in saying they can make you hack-proof, they are lying to you 100%. Do not work with that person to save your life because there are no absolutes in cybersecurity. I can build you a Ferrari’s worth of a cyber-defense strategy, and some fifteen-year-old kid might be able to find some way to work around it. Now the entire cybersecurity community has to slam on the brakes and figure out, “What on Earth happened? How do we change defense?” That literally happened in the mid-2000s to Google, Amazon, Facebook, and Apple in a span of two weeks. A fifteen-year-old kid broke into all of them and completely rewrote the game. First things first, there are no absolutes in technology in the sense that, “I can build you an excellent cyber defense strategy that makes it very hard to break into you.”
At the end of the day, there are no guarantees. That’s the unfortunate truth of that. I’m being honest here. That’s a red flag right out of the gate. If somebody’s saying, “You’ll be bulletproof,” no way. The other big thing is, honestly, if they’re failing to meet expectations right out of the gate, that’s not a good sign. We had one of these where we went through that vetting process. There are things that I cannot judge because I do not have to live day-to-day working with this IT company like my client does.
They’re the ones judging, “Do I like these people? Do I want to punch them every time they walk through the door? Are they not? Is this a good fit?” They had one that they thought was a good fit and had the right technology, but when they had essentially a massive spamming attack, that company was not responsive for weeks in an effective manner, leaving them open.
That, for me, is a huge red flag on, “Did you make the right choice? Should we be looking somewhere else?” If you’re not getting these things done in a timely manner, it’s an issue or even a basic thing. Understanding we’ve had some supply chain risks, but I had a company that couldn’t get a single laptop for two months. That’s why they came to me and said, “We need to switch.” If they’re not living up to what they’ve promised, “We’ll respond within fifteen minutes,” and it’s four hours, that’s a good indicator.
At what point do I begin to build my own internal, which is more than an IT department? Do you have any clients who, for instance, have an internal security expert and use your services in addition? I’m trying to help people think about how they should be looking at it. Tell me about that.
I have several clients that have their own internal IT and cybersecurity teams. They’re that big. My clients range from small to Fortune 100. I work with the United Nations. I run the gamut here. I go wherever there’s a need. It doesn’t matter to me how big you are. If you need cybersecurity, we’re here. I have plenty of clients that do that. We become advisors and consultants. We’re never the boots on the ground. You’re never hiring me to fix your printer. I’m not taking that job, but I’m advising you on how to defend your printer, and you’re implementing it based on my design, advice, etc.
Where you are in that mode, especially if you’re in growth mode where you’re saying, “Should we bring on somebody in IT?” it is usually honestly somewhere between 100 to 200 people where that need starts to become. As you grow to about that size, you start to realize that over about 150 people or so, you’re going to need some layer of middle management. Maybe more effectively, you start looking internal because you’ve got the resources and finances to be able to say, “I can hire people that are not out generating money. I can hire internal quality control.”
As soon as you start seeing that, then you start to understand that. At that level, you usually are not hiring a chief information security officer because that’s prohibitively expensive, but what you’re doing is you’re hiring basic IT that will take directions from more experienced outside. Why would you call an IT company to fix Word, reboot a computer, replace a mouse, or something like that when you can have somebody for pretty inexpensive to do that?
The response time is instant because the person is in your office or works on your behalf. They’ve got no other job. All they’re doing is focusing on your team and people. That is usually that balance. At that point, it’s usually a hybrid. You’ve got the internal person taking care of the low-hanging fruit, and then you’ve got an IT company outsourced that will handle the infrastructure and the maintenance thereof because you’re not hiring very experienced network engineers because they’re expensive.
As you grow, you start to shift into that mode. It’s give or take. I’ve seen companies do it 75. I’ve seen companies start that road at 150 plus, but it’s around there where you start to look inwards to say, “We are going to start stunting our growth. If we are not streamlining our internal processes, we’re not showing maturity.” That is any aspect of a business. Whether it’s cybersecurity, risk management, or standard operations, you need that internal maturity to start moving to that next level.
Give us a quick summary of what CMMS is, why it’s important, and how to get started on that.
CMMC is the Cybersecurity Maturity Model Certification from the Department Of Defense. It’s essentially going to be required to go to level two for most organizations in construction. There are a few exceptions with possible waivers, but those are one-time things. Look at getting certified for that. It continues to keep your most favored status with your GCs because if your competitors get it and they’re a one-stop shop, you’re getting cut out because, by law, you’re not going to be able to work on a lot of these DOD projects.
This is also coming for the rest of the federal government, eventually trickling down to state and local in some form. You’ve got to get down this road. The laws or the rules are going to be online, officially enforced in something 6 to 8 months from now as we know. Make sure you’re getting down that road. This is very important. Start now. Start registering with the government and the SPRS. Go down that road and start that self-assessment, then get an overview assessment of your organization, then start implementing, and get that certification.
Nick, please tell the audience more about yourself, what you do, and how they can contact you.
I’m the Chief Security Fanatic at Security Fanatics. We do all things cybersecurity, cyber warfare, cyber terrorism, infrastructure, government compliance, and all those things. On top of that, I’ve done four TED Talks, co-authored a bestselling book, written for Forbes and Smerconish of CNN, and on the national radio show. Find me on LinkedIn or Twitter, @NickAEsp. Follow me on YouTube. I could use the followers there. Knock yourself out.
I’d like to end this conversation with a slight detour. You and I, before we started, were having a parenting discussion. You had an insight that I had never thought of. I’d like you to share that insight with the audience in terms of a new teen driver.
One of the best things you could do if you’ve got a sixteen-year-old or a new driver is get them a stick shift car. Get them a manual. You can’t sit there and mess around on your phone. You got to ride to school, work, or wherever you’re going. You’re connected to the car in a way that you simply aren’t. You have to pay attention, especially as you’re learning manual transmission. That is probably the best thing that you can do.
I appreciate that. I’d never thought of it before, and I am now going to give that some serious consideration. Thanks for joining us. We are going to get you back on the show in the future to talk more about those security threat trends that are occurring so that our readers can stay on the cutting edge of what they need to do to make sure that their company is secure. Thank you for joining us here again.
Thank you very much.
—
Thank you for reading my interview with Nick. Share it with other people. Check out Episode 210 for my other conversation with him. Nick is a wealth of information when it comes to cybersecurity, so you should check his stuff out. Please share this interview with other construction executives that you think would benefit from reading. I’ll catch you on the next episode.
Important Links
- Nick Espinosa
- Episode 210 – Past Episode
- Construction Genius: Effective, Hands-On, Practical, Simple, No-BS Leadership, Strategy, Sales, and Marketing Advice For Construction Companies
- LinkedIn – Nick Espinosa
- @NickAEsp – Twitter
- YouTube – BSSi2 and Security Fanatics (A Service of BSSi2)
- https://Electri.org/Product/a-CMMC-Overview/
- https://10Minutes.YouCanBook.me/
- https://www.Facebook.com/NickAEsp
About Nick Espinosa
In 2015 Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations, was launched. A internationally recognized speaker, member of the Forbes Technology Council, TEDx Speaker, strategic advisor to humanID, regular columnist for Forbes, award winning co-author of a bestselling book “Easy Prey”, host of “The Deep Dive” nationally syndicated radio show, on the Board of Advisors for Roosevelt University’s College of Arts and Sciences as well as their Center for Cyber and Information Security, the President of The Foundation for a Human Internet and is the Official Spokesperson for the COVID-19 Cyber Threat Coalition.
Nick is known as an industry thought leader and sought after for his advice on the future of technology and how it will impact every day businesses and consumers.
