Manufacturing tends to resist new technology. Not aerospace, though. It’s on the cutting edge.
In this episode of The Virtual CISO Podcast, John Virgolino, President/CEO at Consul-vation, Inc. & CEO at SENT, discusses what makes the aerospace sector different from technology and security perspective.
- Why making security part of your culture is key
- The security challenges facing aerospace companies
- The trouble with government contracts
- Reasons why you shouldn’t look for a loophole in aerospace security compliance
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hey there, and welcome to another episode of the Virtual CISO Podcast. I’m your host John Verry and with me as always, I will refer to you as the Adam Gase to my Joe Douglas, Jeremy Sporn. Hey, Jeremy. But, just so you know, there’s a new game in town. I’m the all gas, no brake, Robert Saleh, and as a Jet fan, I am thrilled.
Jeremy Sporn (00:48):
Yeah. And I would much rather be the Saleh to your Joe Douglas.
John Verry (00:53):
I know, but you’re not. You’re more Adam Gase to me.
Jeremy Sporn (01:01):
That’s honestly one of the worst things you said to me, [inaudible 00:01:01] of our four year relationship here.
John Verry (01:04):
All right. So, what did you think of my conversation with John?
Jeremy Sporn (01:07):
So, there’s just something about talking to people who are in the trenches, the ones who are doing the work, and John Virgolino has been supporting the technology, and security needs of the aerospace industry for 19 years. He talks the talk of someone who has just rolled his sleeves up, and done the work for quite some time.
John Verry (01:28):
Yeah, I think that’s well said. I always enjoy when I get a chance to speak with folks that are in the same world as me, but they live on the other side of the street, so to speak. Like when we talk with like someone like an [inaudible 00:01:39], like Ryan from Shellman, or software vendors, like Sanjeev from Prevail, or Jose from TechScape. It’s very helpful to me because I can gain insight into how they address the same issue that we’re looking at, but they’re doing it from the other side of the mirror.
John Verry (01:52):
And I found the same thing was really obviously true here with John. They’re often the team that we are intersecting with on the project, after we’ve… Either during the scoping, and then afterwards, to actually they’ll be responsible implementing some of the recommendations, and risk treatments, and gap remediations, or if you will, POA&Ms, that we identify to get these aerospace vendors prepped for their certification. So, definitely a fun conversation for me as well.
Jeremy Sporn (02:16):
Cool. Yeah, I think people are going to get a lot out of this conversation. If you are in that aerospace industry, and want to understand, really the practical solutions to your security, and compliance, and technology challenges from a 20 year veteran, John Virgolino, president and CEO at Consul-vation is your guy. He breaks down some, what I would consider really key topics for the aerospace industry, like how to address security flow down requirements, how you should understand, and improve your SPRS score, which we know is a significant piece to help be able to win new contracts. Just really simple solutions to common challenges for aerospace companies. Really looking forward for people to listen to this one. I think it’s going to be great.
John Verry (02:58):
So, I know you’re not clever enough to have done this. But, you made a Jets reference on an aerospace podcast.
Jeremy Sporn (03:11):
I wish you were so wrong.
John Verry (03:15):
I’m sitting there listening, I don’t know if you saw the smirk start to go on my lips. I’m like, “Dang, that was brilliant.” And he didn’t do it intentionally.
Jeremy Sporn (03:22):
No, no, no. It must have been good, John, have we said that more than once?
John Verry (03:30):
All right, so with no further ado, let’s get to the show. John, how are you today, sir?
John Virgolino (03:40):
I’m Excellent. Thank you.
John Verry (03:42):
And you lie well.
John Virgolino (03:45):
Thank you, thank you.
John Verry (03:46):
No one is excellent during COVID.
John Virgolino (03:48):
Of course. This is true.
John Verry (03:50):
At best we’re passing.
John Virgolino (03:53):
John Verry (03:54):
There you go. You and me both. So, I always like to start simple. Tell us a little bit about who you are, and what it is that you do every day.
John Virgolino (04:03):
Sure. So, John Virgolino, and I am the president, CEO of Consul-vation. We’re an IT consultancy in New York, and we cater to small to medium sized businesses throughout the country, actually. I’ve been in technology since I was 16, when I wrote my first program on a TRS-80, and have been hooked on it ever since then. So, I did a whole bunch of programming in my early career, and then moved into networking, and IT since then, and then started Consul-vation about 20 years ago.
John Verry (04:39):
Excellent. Excellent. So just out of curiosity, New York City, Long Island? Long Island?
John Virgolino (04:45):
Long Island, yes.
John Verry (04:46):
Long Island, which is where I’m from.
John Virgolino (04:48):
John Verry (04:52):
What area in New York?
John Virgolino (04:53):
We’re in Great Neck actually, on Long Island, like you said.
John Verry (04:56):
On Long Island, yeah. I have family in Floral Park, and all that area. So, I know Nassau County a bit. I grew up in Suffolk County, and I still have a lot of family out that way.
John Virgolino (05:04):
So did I, actually. I grew up in Dix Hills.
John Verry (05:07):
John Virgolino (05:09):
John Verry (05:10):
Not far from the Commack Arena.
John Virgolino (05:11):
That’s right. Oh, yeah, absolutely.
John Verry (05:13):
With the Long Island ducks, and George [Swarbeck 00:05:16], who was the star of the team at one point. But now we’re going down a rabbit hole we should get right back out of. All right, so before we get down to business, I always like to ask, what’s your drink of choice?
John Virgolino (05:25):
Ah, yes. I’m more of a wine guy. I don’t really partake a lot, but I tend to be more on the wine side. Occasional beer here and there.
John Verry (05:37):
Red, white, on the wine?
John Virgolino (05:39):
Red, red. Yeah, I like the dry wines, actually.
John Verry (05:44):
Something more towards a Cabernet, or a blend or?
John Virgolino (05:48):
Yeah, yeah, Cabernets are good. Yeah, yeah, definitely.
John Verry (05:51):
John Virgolino (05:52):
Something to go along with a good steak, you know?
John Verry (05:55):
No I don’t, I’m largely a vegan these days, John.
John Virgolino (05:58):
John Verry (05:58):
Thank you for reminding me of that. You put me in a bad mood right at the beginning.
John Virgolino (06:03):
Ah jeez, okay.
John Verry (06:06):
So, the reason we wanted to chat with you is that you have a unique place in that you spend an awful lot of time in the aerospace industry. And with everything going on in the defense industrial base, and CMMC, we thought would be fun to chat with you a little bit, and talk about that. So, what makes the aerospace sector different from a technology, and security perspective?
John Virgolino (06:27):
That’s a good question. Typically, especially in manufacturing, there tends to be a… I’m going to use the word resistance to adopting newer technology. But I found that aerospace tends to lead into the cutting edge more often than not. And that’s kind of exciting, because they kind of understand the value that technology brings to building their products, as well as their operations.
John Virgolino (06:56):
So, it’s not a necessity, in the sense of, “Oh, God, we have to have this technology here. We need to have it in order to progress. We need to have it in order to be better than the next guy, who’s building something similar, or is going to wipe us from the market.” So, I find it’s that attitude, I guess. I guess it’s best said, they get it, in terms of the value of technology, and what it brings to business, and to product development.
John Verry (07:29):
Gotcha. And actually, it might be an interesting thing to step back, and just, let’s define what is, and I know it’s going to sound a little crazy. What is the aerospace industry? Because that could encompass a lot of things. Right? The Boeings, the McDonnell Douglases, the SpaceX, I mean, Bell Helicopter. Tell me, when when we talk about the aerospace industry, how do we define that, and what are the characteristics of an aerospace company, if you will?
John Virgolino (08:00):
How much time do we have? I like to think of it in the sense of, obviously, it’s in the goal of making anything that does not stay on the ground, right? So…
John Verry (08:15):
John Virgolino (08:17):
Sure. I mean, technically, there’s physics involved. So, you could say that some are better than others. So, compared to, I guess, traditional manufacturing, where you’re building a widget that serves a very specific purpose, here, we’re talking about moving people, we’re talking about moving items from one place to another, in a way that is efficient, and more often than not, high tech. I mean, missiles or just as much aerospace as a plane. Like you said, with Boeing, or any of those products. So, it’s very broad, actually, but there’s a… I don’t know how to describe it, really. There’s a sense that sets it apart from traditional manufacturing.
John Verry (09:10):
Je ne sais quoi.
John Virgolino (09:11):
John Verry (09:12):
Yeah, that’s the perfect feeling there, right? It’s the, I don’t know what you call it.
John Virgolino (09:16):
John Verry (09:17):
That actually defines it. So, let’s talk about that for a second. So, anything… So, you spend a ton of time in this sector. Anything that’s unique from a technology perspective, or anything that’s unique from a security perspective relative to… I’m sure you do some work outside of the aerospace industry.
John Virgolino (09:34):
John Verry (09:35):
How would you compare contrast what’s different technology wise, and or security wise between your aerospace industry clients, and non-aerospace industry clients?
John Virgolino (09:44):
Well, compliance has a huge factor in here, because more often than not, these aerospace companies are dealing with the government. It’s not a requirement, but more often than not, that’s a good part of their contracts come from the government. So, compliance is a huge factor from a security standpoint. So, they have to be aware of the security requirements. And with CMMC, now it’s really just no choice. I mean, when the DFARS Clause originally came out for NIST 171 compliance, that was kind of a, “Okay. Sure. We’ll take a look at that.”
John Verry (10:21):
“We’ll get to it.”
John Virgolino (10:23):
Yeah, exactly. And if the prime asks us about it, sure. Yeah. Yeah, we definitely looked into that, and it was definitely taken care of, absolutely. We have all 110 requirements totally taken care of.
John Verry (10:38):
You said that just a little bit tongue in cheek, I think.
John Virgolino (10:43):
Just a little bit.
John Verry (10:44):
Am I sensing a little sarcasm in this? For the people that can’t see your face right now.
John Virgolino (10:48):
That’s right. Yes.
John Verry (10:50):
John Virgolino (10:50):
There’s definitely a lot of that. So, my experience was that the larger companies that had resources available to them, were a lot more willing to kind of embrace the requirements, because it made sense. It was saying, “Okay, here are all of these security requirements.” And 171 is very broad, but it covers the core security domains, really, that you need to focus on in any environment, right?
John Virgolino (11:20):
So, it’s sensible, I guess, is the word I’m looking for there. And they get it, and so they said, “Okay, so let’s apply this across the board. Let’s make our networks secure, and let’s see what’s going to be involved from a cost standpoint, a time standpoint, resources and so forth.”
John Virgolino (11:40):
So, they kind of embraced it, and went with it, which was nice, because you don’t often run into that. Very often, it’s more of a, “I have to deal with this, and how much is it going to cost me?” And so forth. So, a lot of the aerospace companies really kind of took it on as a mandate to change their culture, really. And I think that is a key aspect of this. Security has to be part of your culture, for it to work really effectively.
John Verry (12:11):
Yeah, [crosstalk 00:12:12] tone at the top, right?
John Virgolino (12:14):
John Verry (12:15):
So I couldn’t agree with you more. So, it sounds like you’re saying that the security challenges are what creates the Delta, if you will, in technology, because specifically, if we talk about 800-171, that means they probably were earlier to using encryption, using digital loss prevention, data loss prevention tools. They probably have more of an investment into their SIM, or log management infrastructure. So, those are the kinds of things that you would say, like, if you looked at your aerospace companies that took 171 seriously, that’s what makes their technology different than let’s say, either one that didn’t take it seriously, or a non-aerospace organization?
John Virgolino (12:57):
John Verry (12:59):
John Virgolino (12:59):
Yeah. And you see it immediately, just looking in the way that the technology is deployed. Or the questions that they ask. “Okay, so we need to implement two factor, how are we going to do that?” I see a lot of discussions online about various aspects of 171, and how to interpret it, and two factor comes up a lot, because I know it’s one of the more difficult ones to implement.
John Virgolino (13:24):
And there’s a lot of technologies available now that actually even what, five years ago, weren’t available. The answer to the question is a lot easier when they call, but the fact that they’re even asking is amazing. It’s awesome. That’s something that we have to kind of push with the non-aerospace, or the clients that… I don’t want to put down non-aerospace clients.
John Verry (13:48):
No, a lot of them take it seriously as well, right?
John Virgolino (13:50):
John Verry (13:50):
I mean, look, at the end of the day, I don’t give a crap what kind of a company you are, generally speaking, most organizations don’t find religion around security until their customers tell them they have to. Or they have a breach.
John Virgolino (14:04):
Yeah, yeah, exactly.
John Verry (14:05):
I mean, good point. So look, I mean, the people that haven’t gotten there yet, there’s a reason they haven’t gotten there, and they’ll get there. So to that end, it’s interesting to me to talk with you, because on the CMMC 800-171 side, we’re the guys that are usually driving, in terms of like, “Okay, what does that mean? What should your scope look like? What is the risk look like?”
John Verry (14:24):
And we’re making a bunch of recommendations that somebody is implementing, or a high level recommendation that someone’s interpreting and implementing, and I guess in a lot of cases, the equivalent to us, is that that feedback is getting to you, right? Because you’re the IT service provider.
John Virgolino (14:38):
John Verry (14:39):
So let’s talk about like, how is CMMC influencing, like, what are the major things, so if an aerospace company is listening right now, right? What are the things that their IT service provider needs to be able to help them with, and what are the most common things that you’re being asked to help them support these conformance requirements, whether it’s 800-171, or CMMC level three?
John Virgolino (15:02):
Sure. Yeah, well, so I mean, like right now, it’s mostly doing the initial self assessment that the in term laws required. I think the deadline was two days ago or three days ago, and actually it wasn’t technically a deadline. So, we’ve actually been recently doing a lot of the self assessment piece, where we’re going through each one of the 110 clauses, and determining where they are, what’s their current state, and then creating the [POA&Ms 00:15:32] for getting them to the next step, because that requirement is great, and they need to get that into these DoD systems, so that if they have any new contracts coming up, that that number needs to be there for the self assessment.
John Virgolino (15:46):
But technically, they’re not going to get CMMC audited for at least probably a few years, before it kind of reaches them. So, the actual implementation piece is a much longer term focused projects for us. So, we’re prioritizing the higher [inaudible 00:16:05] items in NIST, things like user authentication, two factor, and all that stuff. The things that we can implement fairly easily, fairly quickly, without huge expense.
John Virgolino (16:22):
And then more of the smaller stuff, and the more complicated things tend to get pushed down a little bit. But they know that they have to get that done. Things like two factor on a larger scale, like on a per desktop basis, becomes a lot more expensive, and a lot more complicated when you’re in the hundreds of users.
John Virgolino (16:43):
So, in those cases, for instance, we’ll focus on the privileged users first, right? So, we’ll implement two factor in the server room, we’ll implement two factor with the administrative accounts, and things like that, and then learn from that situation within their environment, and then apply that to rolling it out to all the users. But other types of things that they’re focusing on right now are things like, really kind of the perimeter. You’d be amazed how many organizations rely on just the router that their ISP gives them.
John Verry (17:14):
No I wouldn’t. You forget who you’re talking to?
John Virgolino (17:17):
That’s true, I know.
John Verry (17:18):
I mean, a lot of people might be, but not me. Look, especially in smaller organizations that didn’t have their feet held to the fire prior. Right? Which is really what we’re talking about. Question for you. So, when you say you’re doing these DoD assessments, right? So, the goal there is that you’re trying to get the data into SPRS, right? The Supplier Performance Rank Reporting System. I’m curious as to, we see a really large disparity, but we’re seeing a lot of negative scores going. I mean, is that your experience? I mean, I haven’t heard of anyone who’s done it fairly, that’s above 78 or 80, realistically. Are you seeing most of your scores in that in that 50 to minus 50, 50 range?
John Virgolino (18:00):
Yeah. I mean, that’s fairly realistic.
John Verry (18:02):
Because I mean… And it’s good that we talk about that, because anyone that’s listening, and I don’t want them to feel like, “Oh, my God, we got a minus 28. We are the worst company in the world.” No. Unfortunately, we’re seeing a lot of scores at that level when we’re looking at them.
John Virgolino (18:18):
Yeah. And I think a huge factor is when they started. And, we can have a whole conversation about how you interpret the rules, right? And what you’re really supposed to implement. But ultimately, so many companies literally started two months ago, right? You know this. So, there’s absolutely no way that you’re implementing 110 rules and regulations in a month or two, in anything small, larger than maybe a 10 user network.
John Verry (18:50):
And even then, if we were just implementing policies, standards, and procedures, that can be done relatively fast. But unfortunately, you have to implement a lot of technology in many cases, and you have to make a lot of decisions about that technology, and then the migration to that technology takes time. You don’t turn on two factor authentication overnight.
John Virgolino (19:08):
John Verry (19:08):
I mean, if you did not have logging, and you need a SIM solution. Right? You’ve got to go to the market, what kind of a SIM solution do we need? What do we need to actually do? How do we deploy it? How do we pick a vendor to help us actually do this? Who’s going to monitor it? How does the [inaudible 00:19:23] response? I mean, each of those are weeks of conversations, right?
John Virgolino (19:26):
John Verry (19:28):
And then getting it stood up, then getting it operationalized, and if it’s 800 [inaudible 00:19:32] one, you can you can check the box. If it’s CMMC, if that system doesn’t, over a sustained period of time, generate objective evidence of its operation, you’re not done.
John Virgolino (19:43):
John Verry (19:43):
Because the auditor needs two forms, of persistent and habitual operation. So that means like over six months. So yeah, you’re right. I mean, the one thing which is interesting with RP training is they said, “Please, please, please stress to your customers, they need to… No matter if they don’t need to be certified for two or three years, start now, because realistically that gives them the time.” Is that what you’re seeing? So you’ve got these clients that are just getting to the 7019 requirement. Are most of them thinking about CMMC level three? Are they getting that flow down from their primes? Do they have plans to get there? Or are a lot of them right now saying, “Oh, good, we’re just good at the 7012 7019 equivalent.” And we’re okay with 171? What are you seeing?
John Virgolino (20:25):
I’m seeing a lot of questions.
John Verry (20:30):
Yes. More of them than answers these days.
John Virgolino (20:32):
Absolutely. Well, so here’s the thing, when you look at something as overwhelming as this could be, to an organization, the natural inclination is going to be to look for a loophole. Can I get out of this somehow?” Right? “Yes, I get it security is important to my business, I’m definitely going to think about it, I promise. But, is there a way to get out of this?”
John Virgolino (20:57):
And so, there’s one exception to CMMC, right? Is [COTS 00:21:01], right? The off the shelf stuff. But that is such a small portion of the market that, you know, “Okay, fine.” Most people don’t fall under that. So then they move, and gravitate towards the CUI. Do we really have any CUI? Because if we don’t, then we can live in level one, and that’s fine.
John Virgolino (21:21):
But the second we touch a piece of paper that has CUI, now all of a sudden, we have to be level three. And our customer is telling us, “Well, you should probably do this, but we never see any CUI. What is CUI? Is it really CUI? And if it isn’t, cool, we don’t have to do this. Right?” And that’s actually become a point of discussion with a lot of clients, which is, [inaudible 00:21:51] all of the paper, the documents, and the stuff that’s kind of flowing through their business, and are they creating CUI? Because a lot of times it’s not just what are you getting from your customer, that you’re participating in building, but you may be generating CUI as part of the process.
John Verry (22:12):
That’s a huge misconception.
John Virgolino (22:15):
Yes, absolutely. And… Go ahead, sorry.
John Verry (22:19):
Well said no, no, no. Well said, I’m glad you’re talking about that, because I’m amazed how often people don’t understand, it’s you either generate it, or you receive it. The other thing too, that people fail to do is you need to go talk to your contracting officer, you need to go talk to program managers from the primes, or the agencies you’re working for, and you need to go to whoever holds the legal paperwork, and you need to look specifically on what’s in those contracts. Because the reality is, not only… The other thing is that not all CUI is created equal.
John Virgolino (22:49):
That’s right. Right.
John Verry (22:50):
So, if it’s CTI, or CDI, it might have additional requirements, like no [inaudible 00:22:55], no rail.
John Virgolino (22:56):
John Verry (22:56):
You might have ITAR requirements.
John Virgolino (22:58):
John Verry (23:00):
You could migrate to GCC High, or migrate to some other solution, and then find out that it… Or migrate to a different email, and file sharing platform, and then realize suddenly, “Well, it doesn’t work for ITAR.”
John Virgolino (23:11):
Export regulations also come into play.
John Verry (23:14):
John Virgolino (23:15):
So yeah, and that I found is a huge part of, number one, the training aspect of their employees who are handling, and creating, and then disseminating the CUI, they have to be trained, they have to understand what it is they’re handling, how to market properly, and then how to get it out there, and control it as best as they can, I guess. And that’s all outside of just infrastructure, right? That’s kind of outside of the realm of IT, technically.
John Virgolino (23:45):
At the same point, it’s IT is handling all of that more often than not. It’s interesting, because in one of the evaluations we were doing, we were talking about all the digital versions of everything, but I saw just stacks of folders, and papers just everywhere.
John Verry (24:04):
John Virgolino (24:05):
“So is that digitized?” “Oh, no, that’s just follows the part around until we’re done with it.” “Cool. Where does it go when it’s done?” “[inaudible 00:24:15] Over there.” “Fantastic.” You understand that that’s covered? You can’t ignore the physical stuff, too. So, it becomes this really overwhelming thing, I think.
John Verry (24:27):
John Virgolino (24:27):
So, anyway, the point is kind of getting to that Jesus moment really, where you realize you have to do this, and it’s going to affect your business in a lot of different ways.
John Verry (24:40):
So, you’ve got figuring out what you need to do, is a problem. We’ve got the technical implementation issues that we talked about with SIMs, and multi factor authentication, and encryption, and things of that nature. Paper is definitely another issue. What about anything specific to like the fact that many of these are manufacturing concerns, correct?
John Virgolino (24:59):
John Verry (25:00):
Any specific technical challenges that are… Because a normal business doesn’t have that manufacturing, may not have the SCADA systems, might not have some of the other tools, and technologies. Any of those you find present specific challenges when dealing with NIST and CMMC?
John Virgolino (25:18):
Definitely. First thing that comes to mind is IoT. And I’m bunching CNC into IoT, essentially. It just makes it easier. So essentially, CNC is those big… Yeah.
John Verry (25:31):
Quick question, for someone who might not know, what’s CNC?
John Virgolino (25:34):
Yep. Okay, so CNC is, so if you ever look at like a [inaudible 00:25:39] facility, you can see a lot of these giant machines, they’re milling machines, or they’ll carve things, or they’ll do whatever. It’s what manufacturers used to make what they make, and these today are programmable, via what are called DNC systems of engineers who take the drawings of whatever it is you’re building, and then they write a program for the CNC.
John Virgolino (26:03):
So, just to use an example, let’s say you take a block of metal, and you’ve positioned it inside the CNC, and you want to make a ball out of it. So, you would program the CNC to carve out circular motions, and to cut out pieces, and then eventually it becomes a ball, and that’s how they make this stuff. You need to write a program to tell the machine how to do that. What angle to cut at, how much to cut, and, and all that other stuff.
John Virgolino (26:33):
So they write these programs, they have to get it to the actual CNC control. How do you do that? Well, in the olden days, you would run a physical serial cable from one computer, and you would run it all the way to each CNC in the shop, and then they would trans [inaudible 00:26:52] program to the CNC that way. Now, they don’t do that anymore. They use wifi. Yay. Because we all know wifi is so secure. Again, being sarcastic.
John Verry (27:03):
Yeah. Yeah. And that’s where it gets interesting, and it makes it difficult, because now you’ve brought all these other systems into your CUI scope.
John Virgolino (27:14):
John Verry (27:14):
Right? And that’s such a big challenge, and what we want to do logically is minimize that scope, but yet we need these systems, and we need this data, so yeah, it becomes a huge issue. Do you see much… I’m just professionally curious, because we’re working with a client right now. Do you see the move from CNC to 3D printing, kind of like the opposite? One takes away, one adds.
John Virgolino (27:38):
John Verry (27:38):
Because we’re seeing some pieces in the aerospace industry being generated through 3D printing now, which is really interesting to me.
John Virgolino (27:44):
Yeah, definitely seeing that. I think it’s [inaudible 00:27:47]. And it’s also, to actually generate usable, sellable parts, I’m not seeing that very much.
John Verry (27:56):
John Virgolino (27:57):
What I’m seeing it as, is as enhancements to the production process. So, instead of going out and maybe buying a part, they might make it with 3D printing. And also for modeling, and building prototypes, and things like that. So, they can do cutaways, and things like that, which you’d normally do in CAD software, but having a physical thing that they can touch, and kind of play with is very helpful. So, I’m seeing a lot of rooms that are being dedicated to the 3D printing, and they’re kind of playing with it there.
John Verry (28:29):
Gotcha. And then one of things that I’m seeing a bit with our folks in the industry is that many… And I don’t know if you see the same thing, many of these organizations are relying on downstream vendors to do different pieces of it, it seems to be a common challenge. And now we have this new requirement under the interim rule, to kind of ensure that our downstream vendors have the same level of certification that we do, whether it’s CMMC level three, level one, or a score in SPRS. Are you seeing the same thing? And how are organizations addressing that challenge?
John Virgolino (29:00):
I am definitely seeing that, and if they were confused about getting compliant themselves… They are beyond confused.
John Verry (29:12):
John Virgolino (29:12):
Yeah, it’s so unclear about what their responsibility is, right? So, they’re kind of relegated to, they essentially copy what their upstream are doing to them. They’re putting together a letter, they’re explaining, “Okay, this is DFARS Clause, whatever, whatever, whatever that applies. You are downstream, you need to get to this level. Go figure it out.” Yeah.
John Verry (29:38):
Yeah. It’s funny, because I had a conversation with a guy the other day, and the guy was like, “Look, I don’t know how we’re gonna stay in business if we’ve got to push this downstream.”
John Virgolino (29:45):
John Verry (29:45):
Right? “We have dozens of providers, and these guys are smaller than us, and we’re not big, there’s no way that they can afford to do the things that we needed to do.” So, it is going to be interesting, and I’ll clarify one thing. I don’t think it’s confusing, it might be confusing to them, but it shouldn’t be what they need to do. I think it’s confusing on how to do that. Right? Not what to do. The what to do is, okay, if you have to have a… if you’re under 7019, they have to have a score on SPRS.
John Virgolino (30:13):
John Verry (30:14):
John Virgolino (30:14):
John Verry (30:14):
All right. The problem is not… That’s easy. The problem is that these organizations are not going to have the wherewithal to either calculate that score, or they’re not going to have the wherewithal to get that score to a level that… And if they don’t get it to a score that’s to a certain level, can I still continue to work with them? And what is my obligation? I think that’s the confusing part, and if somebody can’t get to a CMMC level three, and I need to work with them, and I’m at CMMC level three, but I can’t produce my… What do I do then? It’s like, I know what I need to do, I just don’t know how to solve the problem, if you will.
John Virgolino (30:47):
Totally agree. It’s tough, and that’s where also that CUI question comes in a lot, which is, “Okay, well, I’m just sending this out to get coded, we’re not giving them any diagrams. We’re literally just giving them the parts. They’re coding them, and then sending them back. Do they have to do this?” Well, at the minimum, they’re probably going to have to be level one. But that’s not bank breaking. That’s actually just basic stuff.
John Verry (31:19):
Yeah, if you’re not at level one, we shouldn’t be giving you information anyway, in my opinion. Right? I mean seriously.
John Virgolino (31:25):
Exactly. I agree.
John Verry (31:26):
I mean, at some point, that would be… If you’re not level one, you’re approaching negligent, if you’re dealing with… I mean look, at the end of the day, and I’m not a patriot standing on my box with a flag wrapped, draped around my neck. But, at the end of the day, guys, this is about national security. Right?
John Virgolino (31:42):
John Verry (31:43):
This is our national defense, and our national defense is an inordinate percentage of our economy. It has huge economic impact. So, the reality is that this is important shit, and if you’re not going to invest what’s necessary to get to a level one, honestly, you shouldn’t be in the game, and you should just go home.
John Virgolino (32:00):
Yeah, I completely agree. I mean, it’s, it really is the new state of warfare, right?
John Verry (32:05):
John Virgolino (32:06):
Yeah, North Korea, they’re going after us from a cyber standpoint, and you’re going to look for that weakest point, and that weakest point is going to be the guy who’s coding whatever you’re sending them, who does not have the firewall in place. It’s that simple. And that’s why they’re doing all of this. I mean, it’s just…
John Verry (32:26):
It’s a lot cheaper. And listen, we have ourselves to blame. I mean, we started it.
John Virgolino (32:29):
Yeah, that’s true.
John Verry (32:31):
Stuxnet guys. Look it up.
John Virgolino (32:32):
John Verry (32:32):
Look it up. [inaudible 00:32:35] Warfare. It’s got our name under the inventor.
John Virgolino (32:41):
John Verry (32:41):
Interesting stuff. So question for you. So, the companies that you work with, obviously, right now, you’re probably swimming in these, in NIST, and the NIST world. In your aerospace clients, do a large percentage of them do work on both the government defense industrial base side, and the private sector? Or are they mostly defense industrial base? In other words, are you dealing with clients that have multiple, disparate requirements? Hey, Boeing, or Raytheon is saying, “Give me 800-171.” And Ford is asking us for… Because we also have the same circuit boards that we print go into car vehicles, they’re asking us for ISO 27001, or something equivalent.
John Virgolino (33:24):
Yeah. Because we’re dealing with the smaller space, ISO doesn’t come up, at least 27000. But, they have other ISO requirements.
John Verry (33:36):
9001, I’m assuming?
John Virgolino (33:38):
John Verry (33:38):
9000 [inaudible 00:33:39] quality management system.
John Virgolino (33:40):
Exactly, exactly. I’m finding the ones that want the… Or have to get to 800-171, that that’s good enough for being able to say to the non-government ones, “Here is our security posture, it follows this standard, that is good enough for the Department of Defense, and for the US government. Is there really anything else that you’re looking for?” Especially from a private customer.
John Virgolino (34:11):
So, if they’re in a situation where they have both, the ones who have no government contracts, they are like any other business. They’re either going to be thinking about this, and consider it to be something that’s important for their business, and are going to see how to invest, and there’s a lot of models for implementing security out there, you know this. So, you can do basic stuff, and be able to say that you’re security conscious. Or, you can go all the way to something like 171 or beyond, get an ISO certification. So, strictly private, I would say it varies based on the type of business really.
John Verry (34:53):
Yeah, you know what I think is going to happen? So, I actually agree with what you said about, if you implemented 800-171 well, that’s pretty similar to ISO 27001, or SOC 2, or about any good framework. I mean, fundamentally, information security frameworks are the same. Understand what I’m protecting, understand what I’m protecting it against, what the risks are, implement controls proportional to risk, validate that it actually works the way I said it does. That’s information security, fundamentally.
John Verry (35:20):
So, it doesn’t really matter the standard. So I agree with you that an 800-171 environment is good, and that should be acceptable. The problem with an 800-171 environment is its self attestation. So, if I’m the third party, I’m not accepting that. “Oh, your 800-171 conforming, and I can trust you because you said you’re 800-171 conforming?”
John Verry (35:38):
I think that’s the flaw with 800-171. In fact, that is the reason that CMMC level three exists, right? Because as you said, a lot of people said, “Yeah, yeah, I’ll get around to that. Yeah, yeah, we’re doing that.” And they weren’t. So, I think when CMMC level three comes out, it’ll be very, very interesting, because I think you’re right, I think the private sector companies, I think anyone in the DIB is going to say, “I’m not doing ISO on top of this, guys. You’re either going to accept this, or you’re not going to work with us.” And I think people are going to accept it, because I think CMMC level three is a pretty good level of security.
John Virgolino (36:09):
I agree. 100%.
John Verry (36:11):
So, it’s going to be interesting. All right, so, I’m looking over our list of things we kind of wanted to chat about, and I think we’ve hit most of them. Anything else that you think we should chat about?
John Virgolino (36:22):
I mean, yeah, I guess, if there was a message that I wanted to get out there, for people, especially business owners, is you have to take this seriously, and get your team trained, and on board, and really just make it a part of your culture. To me that… If it’s part of your way of thinking, so much gets remediated that way, in my opinion.
John Virgolino (36:51):
I think about developers, software developers, and so many are not trained to take security into consideration. Hopefully, that’s changing, more recently. But, again, it’s the whole thing, it’s having a mindset about security. It doesn’t have to be everything you’re thinking about, like you think about, you dream about this stuff on a daily basis, right?
John Virgolino (37:12):
But, I think that if people understand that, just considering the security perspective in making a decision about IT systems, or about software, or even about process, about that email you’re about to open up, are you going to click on that link? It makes all the difference in the world, between whether or not you get hit by ransomware, and you’re out of business for the next two weeks, or you don’t click on that link, and you continue to function.
John Verry (37:43):
And I think I’ll kind of layer on top of that is that CMMC is about information security, and managing information security risk, but CMMC is a business risk. Look, I mean, if you’re in the defense industrial base, as an aerospace organization, and you’re not getting serious about this, okay, you’re no longer… You are going to be at a competitive disadvantage, you’re going to be in a position where you’re not able to bid or win on contracts.
John Verry (38:09):
For the record, and I like what you said earlier, that you’ve got the POA&Ms in place, and you’re prioritizing the execution of those controls, improvements, executions, POA&Ms, excuse me, or those improvements based on how they’re going to raise the score. And that’s going to be important, because it is said, it is documented that both the agencies, and primes are going to have access to SPRS, and if they’ve got widget manufacturer A, and widget manufacturer B, and they look them up in the SPRS, and one has a score of 88, and one has a score of minus 153, okay, who’s getting the business?
John Verry (38:45):
Or if you’re trying to join a pursuit team, right? A capture team, to be part of a larger contract, and Raytheon looks you up, or Raytheon looks up your competitor, and they have a CMMC level three, and you don’t.
John Virgolino (39:00):
Yup. Right. Yeah.
John Verry (39:02):
So yeah, I think that’s the other side of this, is that this is a huge business issue, and it’s… I mean, it’s fundamentally, is we is, or is we ain’t?
John Virgolino (39:10):
John Verry (39:11):
I mean, I think that’s where we’re getting to, right?
John Virgolino (39:12):
John Verry (39:14):
Cool. Anything else?
John Virgolino (39:16):
John Verry (39:16):
I have one question for you.
John Virgolino (39:17):
John Verry (39:18):
Did you do your homework? Are you prepared?
John Virgolino (39:19):
Go for it.
John Verry (39:19):
This is the lightning round, this is the lightning round, John.
John Virgolino (39:22):
Oh, boy. All right, all right. I’m nervous, but go.
John Verry (39:25):
I’m hoping you prepared for this question. Give me a fictional character, or a real person you think would make an amazing, or horrible CISO in the aerospace industry, and why?
John Virgolino (39:33):
John Verry (39:36):
Beep beep. Go ahead, go ahead. I’m hoping you’re going to Wile E. Coyote into your-
John Virgolino (39:40):
John Verry (39:40):
John Virgolino (39:40):
John Verry (39:40):
Is Acme involved?
John Virgolino (39:40):
John Verry (39:40):
If it is, let me get a glass of wine, and sit down and listen to this story.
John Virgolino (39:42):
Well, the question is, is Acme CMMC compliant?
John Verry (39:43):
So go ahead, tell me about why the Road Runner would be… Is he horrible, or… Did you tell me if he’s a horrible or a great one?
John Virgolino (40:02):
I think he’s a good one.
John Verry (40:03):
John Virgolino (40:04):
He’s a good one, precisely because of Wile E. Coyote, who, in this world, Wile E. Coyote, he’s the bad actor, right? He’s the one launching the missiles. He’s trying to constantly dig the holes, throw anvils at the guy. And he gets through it pretty much, what 99% of the time.
John Verry (40:24):
I think 100% of the show [inaudible 00:40:27].
John Virgolino (40:28):
So, he deals with the adversity, somebody is constantly coming at him, it’s always something new, and he speeds through, he gets it done, and he gets to the goal. As far as I’m concerned, that’s what makes a CISO.
John Verry (40:40):
You know, it’s actually not a bad analogy. I mean, and you can look at it from the other perspective of, that’s the DCMA and DIBCAC.
John Virgolino (40:51):
John Verry (40:53):
And yeah, you want to stay a step ahead of them, right?
John Virgolino (40:55):
John Verry (40:56):
Get that good SPRS score in there, so that they’re not coming out to do a moderate, or assessment on your organization using their criteria, instead of yours. Right?
John Virgolino (41:04):
John Verry (41:06):
All right. Well, listen, John, it’s been fun to chat. If somebody is listening, and said, “Hey, I’d like to get in touch with John, or Consul-vation, how would they do that?
John Virgolino (41:16):
Easiest thing to do is just go to our website, consulvation.com, and check us out there, and there’s a contact page, and we’ll talk right away.
John Verry (41:24):
Sounds good man. Always good to catch up.
John Virgolino (41:26):
John Verry (41:27):
I look forward to the next time we have reason to chat.
John Virgolino (41:31):
Absolutely. Thank you so much.
You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered, or you need some help, you can reach us at firstname.lastname@example.org. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.