April 2, 2021

Let’s talk about the Cybersecurity Maturity Model Certification, or CMMC. 

What is it, why should you care about it, and how do you know if it’s going to impact your business? 

While the industry has always known that CMMC certification was going to move beyond the Defense Industrial Base (DIB,) we assumed it was going to likely be towards the end of 2021, likely into 2022 and 2023. 

But it’s growing at lightning speed, and more and more businesses that previously didn’t think they were going to have to worry about it are suddenly finding themselves in a position of needing to start seriously considering it in order to keep the contracts that they have with a myriad of third parties. 

In this episode of The Virtual CISO Podcast, host John Verry, CISO and Managing Partner at Pivot Point Security goes over everything involved in CMMC level 1 certification, and what businesses need to know to get ahead of the game. 

John outlines:

  • What exactly is CMMC? 
  • Why it’s hitting more companies than you may think
  • How your company can get CMMC ready
  • The time and resources needed to get CMMC certified

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:06):

You’re listening to The Virtual CISO Podcast. A frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no-B.S. answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:23):

Hey there and welcome to yet another episode of The Virtual CISO Podcast with me as always. I guess I’ll have to start saying with Andrea VanSeveren. Good morning, Andrea. I’m tempted to say good morning, Jeremy, but…

Andrea VanSeveren (00:35):

It’s okay. The other Jeremy. Good morning, John.

Andrea VanSeveren (00:41):

Hi, everyone.

John Verry (00:42):

So, different episode, huh? It’s one of those ones where we do not have a guest, so this is going to be a different episode. Really what we want to do is have a pretty deep informational dive on what’s referred to as the Cybersecurity Maturity Model Certification or CMMC, and talk about level 1 right, which is the lowest level of security controls that are required under this contract. And really, what the focus is of CMMC level 1 is protecting what we call Federal Contract Information or as you might hear an acronym FCI.

Andrea VanSeveren (01:15):

Yeah. Great, John. I think lots of people aren’t sure where to start when it comes to CMMC. And really, any company, any subcontractors that bid on DOD, Uncontrolled Classified Information, or Federal Contract Information are going to need to think about getting compliant.

John Verry (01:32):

Yeah. And CMMC level 1, I think that you hear different numbers like 300,000, 350,000 folks in the Defense Industrial Base, the vast majority of them are going to be level 1. That’s the bad news. The good news is that level 1 is not that huge a bar. It’s 17 fundamental information security controls that most organizations are already going to have in place. So, I think if you’re somebody who services the Defense Industrial Base and is going to, at some point in the not too distant future, have CMMC as a contractual obligation through your agencies or your prime, through DFARS clauses, I think this is going to be a fun episode for you.

Andrea VanSeveren (02:13):

Yeah. Me too. And most companies, like you said, are either going to be at a level 1 or working towards level 3, so it’s just important for folks to know the details and where they stand.

John Verry (02:22):

Agreed. With no further ado, let’s get to the show.

Jeremy Sporn (02:28):

Hello there and welcome to an unusual episode of The Virtual CISO Podcast. I’m your not so usual host, Jeremy Sporn and with me, unfortunately as always, the Eli Manning to my Daniel Jones, John Verry.

John Verry (02:45):

I’m going to take that as the hall of fame resume to the young upstart versus the old guy to the young guy, okay? So, that’s where I went with it.

Jeremy Sporn (02:54):

Whatever helps you sleep at night, John. The [crosstalk 00:02:56] and nine year olds.

John Verry (03:00):

I have a feeling that’s not what you meant though, but I’m going to go with it anyway.

Jeremy Sporn (03:03):

That’s absolutely fine. And the guests are not here to listen to old man jokes, they are here to understand how CMMC, particularly CMMC level 1 is going to affect them. There’s some confusion in the world around CMMC and we’re going to shed some light, particularly on level 1 but without jumping too deep into the pond, some people may not know what CMMC is. John, can you enlighten us, what is CMMC?

John Verry (03:30):

And the people that don’t yet know what CMMC is, are going to find out pretty soon because it is just becoming omnipresent. So currently, right, the CMMC, the Cybersecurity Maturity Model Certification and that’s a mouthful, is a framework, if you will, an attestation based framework, a mechanism by which the DOD is going to enforce security into the Defense Industrial Base or what we call the defense supply chain. The reason for this is that we had a framework for, since I believe 2015 called NIST SP800-171, which defined 110 controls or practices, good information security things to do, which you had to self-attest to actually performing. Unfortunately, many entities of the 350,000 odd entities in the Defense Industrial Base didn’t take it all that seriously, they actually didn’t do a good job of actually conforming. We’ve continued to have breaches that cost the economy, what is it? The number? $600 million a year, something of that order? [crosstalk 00:04:37] Yeah. At some point it’s-

Jeremy Sporn (04:40):

It’s beyond Jeff Bezos, so that’s all we need to know.

John Verry (04:43):

As that one senator said, “A billion here, a billion there, pretty soon, we’re talking about a lot of money.” But anyway, we were losing a lot of money, our national defense was at risk. So, they came up with the CMMC program to correct that. So what they’re going to do is now, you are going to be audited to confirm that you’re actually conforming with these requirements. The CMMC level 3, roughly conforms with the NIST SP800-171. The CMMC level 1 actually directly conforms with the 52.204.21, I believe it is FAR Clause, which had 15 requirements because it only protects something called FCI, Federal Contract Information, where CMMC level 3 protects CUI.

Jeremy Sporn (05:27):

So then that begs the important question. What is the difference between FCI and CUI?

John Verry (05:34):

Yeah, good question. So, FCI stands for Federal Contract Information. You can think of Federal Contract Information as just what it sounds like, any information that is involved in a federal contract. The fact that you have that federal contract, what that federal contract is actually for, the good product or service which the government or a prime is actually purchasing from you. CUI stands for Controlled Unclassified Information. Controlled Unclassified Information is a generalized classification for information that covers a broad spectrum of data, depending upon the agency that you might be dealing with. So in the Defense Industrial Base, it’s predominantly information relating to DOD, defense systems, weapon systems, things of that nature. Just as an FYI, CUI is defined by what’s called NARA, National Archives And Registry. But NARA defines CUI. So there are the class of CUI. So as an example, student records is actually classified as CUI, patient health information is classified as CUI.

Jeremy Sporn (06:46):

Yes. And so, it seems if you’re reading the tea leaves, we’re talking on January 22nd, 2021. It’s important distinction from 2020, but there’s a lot of noise going on about how CMMC may push itself outside of the DOD. But we’re going to be focusing primarily on those DIB organizations who are going to need to be focused on CMMC level 1 in the more near term, but I’m sure that this is going to be inappropriate conversation for firms outside of the DOD in the not too distant future. Is that how you’re seeing it as well, John?

John Verry (07:18):

Yeah. In fact, you and I, we’ve had to [inaudible 00:07:22] about this for a while now, where we had an expectation we were going to see this grow beyond the DIB, but we thought it would happen perhaps late 2021, probably 2022, 2023, it’s happening at lightning speed. So the new Polaris contract that the GSA is putting out, specifically tells organizations to be ready for CMMC. FERPA has a new program where they’ve told the institutes of higher education, so if you are a college or a university, be prepared for CMMC. And then today, the Department of Homeland Security, it just indicated that they are going to let contracts this year that have that CMMC requirement in it. So yeah, we thought maybe when we booked this two weeks ago that we’d be talking about just DIB, Defense Industrial Base and DOD. But honestly, at this point in time, this is going to apply so much more broadly. It’s going to be applicable to a lot of people that might be listening.

Jeremy Sporn (08:15):

Got it. So let’s jump into level 1 itself. Let’s give the people an understanding. What is level 1 and how would they know if it applies to them?

John Verry (08:25):

So level 1 is… CMMC is a maturity model. And what happens in this maturity model is that at different levels, you have a different number of what they refer to as practices. You can think of practices as being information security controls, different number of practices that need to be implemented, right, to a different maturity level, right? So, that’s why it’s called Cybersecurity Maturity Certification. So what happens is, at a level 1, you have an obligation to implement 17 specific controls and those controls directly map to the 15 controls that are outlined in that 52.204.21 clause, if my memory serves me right as to the clause. That FAR Clause.

John Verry (09:15):

So, how will you know that CMMC level 1 applies? Well, first off, someone will tell you, “Hey, in order to continue doing business, we need you to be CMMC level 1 certified.” That will become an obligation within contract. And the way that you will know that that’s forthcoming is, “Do I have that 52.204.21 in any existing contracts?” More broadly, if you have a contract directly with a DOD agency or through a prime, someone like McDonnell Douglas or someone like Raytheon, Huntington Ingalls, those types of entities. If you have those contracts, you will have to minimally hit a CMMC level 1.

Jeremy Sporn (09:56):

Got you. So, companies that are providing services to subcontractors of subcontractors of subcontractors, should they be thinking about level 1 as well? If they know that their business relies on companies upstream from them getting DOD work, is that something that they should be concerned about?

John Verry (10:17):

So, yeah. We expect there to be extensive flow down. The L-1 flow down, I haven’t seen clarification on that yet specifically, but if we look at the CMMC L-3 flow-down. So, DFARS 7012, 252.204.7012, often refers the DFARS 7012 Clause. Mandated… Originally, that was the one that called for NIST SP800-171. And then what they’ve done is they’ve [clarenout 00:10:44] in that, in clause M within that contract. They mentioned the fact that you needed to make sure that entities below you were compliant, but most people misinterpreted that as not happening and didn’t happen. So what they’ve done in… 7012 is now being augmented or usurped by 7019, 2021. And in 1920 and ’21, there is a clear requirement that if you are subject to that clause, that you have an obligation to ensure the subcontractors, the people that you subcontract to, that they are conforming with the same level of controls.

Jeremy Sporn (11:25):

Got it. Okay. So there are a good number of companies who are going to say, “All right. I fall into this bucket. I should be aware of this, I should be concerned about this.” What do they need to know to get L-1 or level 1 certified?

John Verry (11:39):

So, level 1 is a really interesting beast to me because there is what the framework says you need to do. And what it says you need to do, and what I think is the best way to do that, differ, which is kind of an odd paradox. And what I mean by that is… So let’s go to CMMC level 3 for a second. So the CMMC level 3 has a great deal more formality, and that’s what most people are concerned about. And in CMMC level 3, as an example, you need to have policies. They need to be documented. For each practice, that policy needs to incorporate those specific practices. So, it’s very formalized. So if you look at, and you need to have something called a system security plan, okay, and that system security plan is a document which defines the information that’s in scope, FCI, and/or CUI.

John Verry (12:34):

And it defines how that information flows to you, how it’s generated within your organization, who you’re sharing it with, what systems, what people processes the systems interact with that data. And then it documents for each of those 130 controls, an example in a level 3, how the controls actually protect the data within that context of the SSP, right? So, you don’t need an SSP and you don’t need policies for level 1, but here’s where it gets interesting. How do you become CMMC certified? So to get CMMC certified, what you need to do is you need to engage what they refer to as a C3PAO. They will send out an auditor, and that auditor’s job is to find what we call persistent and habitual evidence. Two forms of objective evidence for each of those 17 practices of what we call habitual and persistent execution of said practices.

John Verry (13:32):

So now here’s the question. That auditor walks in your door and he says, “How do you do this?” Right. If you haven’t taken the time to document that, right, how do you tell him how you do that? And if you haven’t taken the time to document that, how do you know that you have the evidence to support that? Because, if he doesn’t find evidence of that being executed over a period of time, you’re not getting your certification. So to me, it’s almost like, imagine a lot of people that are going to be listening to this are going to be business owners that are saying, “Crap. If I don’t get this, I’m going to lose my contracts.” Right? So this is a huge business risk. Screw the technical risk, the business risk is really the big risk here, right? So, the question becomes, so if you’re a business guy and you listen to this, if you’re trying to grow a business, do you have a business plan? Right?

John Verry (14:19):

What does the plan tell you? It tells you what’s my strategy for achieving my objectives, and then how do I track that I’m actually doing that. Well, that’s what a system security plan does. So I would argue that the best way to achieve level 1 is to develop the system security plan, and within the system security plan to document those policies, if you will. How you actually achieve those 17 things, right. Those 17 practices. And I would also document in there how I evidenced that. So the beautiful thing about that becomes, as the business owner, I’ve got one document that I can grab hold of and anyone whose throat I needed to choke, I can look at that document and I can say, “Guys, do we have this crap?” Right? Because, I mean, we need to be in a position where we have all this stuff when the auditor walks in the door.

John Verry (15:07):

The second thing that I think is a huge advantage, right, anyone… And I’m an auditor. I’m an ISO 27001 certified Lead Auditor. I’m a Certified Information Systems Auditor, right. You want to lead an auditor by the nose, right. Because what you don’t want is the auditor to walk in there and say, “What do you have?” And you say, “What are you looking for?” I mean, because then you’re just opening up your kimono, right? So what you really want to do is you want to walk in, and when the guy walks in the door, you want to say, “Sir, I’ve prepared everything I think you’re going to need for your audit.” Boom. And now what happens, is he’s not digging into crap that you don’t want him to dig into. He’s looking at the evidence that you gave him. And logically most auditors, right, they might dig a little bit beyond that but if you give them everything they need and they had planned to be there for two days, and then you get to do it in a day and a half, they’re pretty happy with you.

John Verry (15:55):

So I think the second thing you do is you control the audit process. So, so many times I’m chatting with people now on the phone and they’re saying like, “Hey, we need a schedule,” and I’m saying, “You should do it.” And they’re like, “No, I’ve looked at the standard. The standard says I don’t need that.” And I’m like, “Yeah, I know. But…” So that would be my argument. I don’t know if it makes any sense to you listening to me.

Jeremy Sporn (16:17):

It does. And I think it’s helpful for our audience to know, because John presented himself as an auditor, he’s also the owner of Pivot Point Security. So he has the business mind to look at this and say, “If I can make my life easier from a business standpoint, I’m going to do that.” So I think you bring a unique perspective to share with companies who need to go through this, which I think is pretty cool.

John Verry (16:38):

Yeah. And I think I would, thank you by the way, and I agree with that. And I think as an information security practitioner and as an auditor, I would say, my thought processes, I manage risk for a living, right. So, and I manage the risk associated with the company, right. And you’ve been involved in many business meetings where I’m asking, “Okay. How much exposure do we have here and how do we minimize that?” Right? How do we minimize that risk? So, if you’re somebody who is generating 90% of your revenue through the DOD, through being a member of the Defense Industrial Base, and you fail this audit, right, you’re effectively out of business. Right. Because they will not let you a contract. You can’t have a new contract, you can’t renew a contract without that. So that’s the way I look at it is that, to me, if you’re listening to this as business owner, the process that I just outlined, yeah, you’re doing a little bit more work I believe, but A, you’re mitigating the risk associated with… your son just walked in.

John Verry (17:41):

So, clearly Jeremy doesn’t listen to my risk mitigation with regards to children being curious about what you’re doing.

Jeremy Sporn (17:48):

Nice play.

Jeremy Sporn (17:53):

Well, everyone will know now that my son has light up shoes and he’s extremely happy about it. Welcome to working from home in 2021.

John Verry (18:03):

Hey buddy. He can’t hear me. That’s funny.

John Verry (18:09):

But it’s risk. I mean, to me, it’s risk management 101. If I can put a little more effort in, and I could be assured of success…

Jeremy Sporn (18:17):

Yeah, I’m going to take it every time. So, the next logical question after, so anyone listening to this says, “I know I got to do this. I know I got to put some effort into this. It’s important to my business.” How long is this going to take, and what’s it going to cost me? The proverbial question.

John Verry (18:34):

So the good news is that it doesn’t necessarily have to take that long, and/or it doesn’t necessarily have to cost that much, but there are some it depends, as there always are. So what are the, it depends, that are going to help me kind of figure that out? So the first thing is that, how mature are your existing controls? So when you look at the 17 odd controls that you actually need to actually achieve the standard, how many of those are actually in a position where you actually have those in place versus how many do you not have in place? Because if you don’t have them in place, right, you’re going to have to implement them. So let’s talk about a couple of those controls, right. So as an example, three or four of the controls are on access control, right. Do you have mechanisms to limit information systems access to authorized users?

John Verry (19:25):

So what that basically means is, do you have good access control? Do you have passwords or using active directory? Do you minimize people’s connections into systems that don’t need access into those systems? Do you minimize people’s access into your environment from outside of your organization through VPNs, and things of that nature using multifactor authentication, those types of things, right? So realistically you take a look at those 17 areas that you need to address. If you… They’re vague, right. So as an example, let me kind of read one that kind of gives you an example of what we’re up against. Sanitize or destroy information system media containing federal contract information before disposal, or release for reuse. Maybe you don’t know what that means, right? So what’s cool is that there are plenty of documents provided, NIST SP800, HB1… I’m sorry, it’s not SB. It’s an HB162, I believe it is.

John Verry (20:21):

But there’s a handbook that gives you some of this guidance. So you can look at the 800-171 assessment methodology. They give you clarification on what is the question you should be asking yourself. Do I meet this standard? So that’s the first question, is that of those 17 odd controls that you need, how many do you have in place? And there’s… Most of them are fairly simple and most organizations have a lot of them in place, right. So as an example, they have controls around physical security, right? So they have escort visitors and monitor visitor activity. If you’re already doing that, great. All right. So now the next thing is that, do I have evidence of that? Right. Should I document that in a policy? I think you should, because not only does the policy provide value during that audit process, not only does that provide value for you to know that you’re going to pass your audit, but it provides value in that it tells your people what your expectation is, right?

John Verry (21:07):

Policies, managements, promulgation of expectation. What do I expect you to do? As a manager, as an owner, why wouldn’t you want people to understand what they’re supposed to do? And why wouldn’t you want to document that so that it’s not ambiguous and clear, and that future people who get hired to the company, you don’t have to count on remembering to tell them that. So, that’s the question that you need to ask yourself, is how much of this stuff do I have? The vast majority of it is not rocket science. So, the question becomes what’s my gap and how am I going to close that gap? And how am I going to ensure that I’ve got evidence when the auditor walks in? And that evidence should span minimally three months at this point, I would expect to say. And do I have that evidence?

John Verry (21:50):

So if you want to work with a consulting organization to kind of implement some of this stuff, it’s going to run you into the thousands, but it’s not going to run you into the tens of thousands. That could… By the way, real quick, the latter, if you are a 3000 person organization with 10 locations, all bets are off. But the vast majority of the entities that are level 1 beholden in the DIB are going to be small to moderate size organizations. 5,000, 200 people, the kind of numbers I’m throwing around are pretty typical for them.

Jeremy Sporn (22:24):

Got you. So, and you didn’t mention the option to hire bluntly, someone like Pivot Point Security to help get, to help achieve that, understand gap, close gaps. For the people listening, we try and remain as objective and neutral as possible. We don’t want to oversell, but we do feel that there are people out there, there are companies that would benefit from hiring someone like us and others that wouldn’t. So, John, can you help people understand who are the right companies to talk to a consulting firm, and who should probably DIY it or Rover on.

John Verry (22:55):

Yeah. So, let’s start with, what are the attributes of companies that would be, potentially, someone who would be more likely to work with an outside entity? Right. So I think A, how big is the risk from a business perspective? Right. If 10% of your revenue is through the DIB and you went for a CMMC level 1 certification audit and failed it, and got delayed six months, you probably, yeah. It hits your bottom line a little bit, but it’s not a big deal. If 100% of your revenue is through the DIB, all right, maybe having an outside expertise to kind of provide that assurance, that risk management, “I’m not going to fail,” make some good sense. I think the second thing is that, this is an opportunity for many organizations to address security to board level, right? If you don’t have a lot of these controls, whether or not you’re worried about your DIB contract enough, you should be worried about your business. Right.

John Verry (23:49):

We deal every day with organizations that have been compromised, that have been hit with ransomware attacks, that have had their information stolen, locked up, that have lost their businesses. Organizations where through business email compromise, people have gotten into their accounting systems, rerouted payments, things of that nature. So, that’s the secondary question is, do you have a requirement beyond just conforming with these 17 relatively simple controls? If it’s nothing more than these 17 controls, if it’s not a big risk, if you’ve got a really competent information security team or information IT team that’s super comfortable with this stuff, or you’re working with a great MSP, you know what? You probably don’t need expertise like Pivot Point Securities, right? So it probably isn’t a good investment. But if you’re in that first class, I think you could make an argument that it’s worth looking at.

Jeremy Sporn (24:40):

Makes sense. So, one of the last questions I’ll ask you, perhaps the last question, because I feel like we’ve covered the topic pretty well. There’s a prevailing thought that CMMC level 1 folks could be looking at it as a stepping stone to level 3. If that is the case, if they’re looking to potentially expand their business in the DIB or they’re looking at other federal contracts, or they want it as maybe a notch on their marketing belt to say that they’re level 3 certified, is there a way that they can approach level 1 to make them move to level 3 a little bit more simpler or better?

John Verry (25:16):

Excellent question, and that probably should have been part of my answer on the last one. Is level 1 your end game, or is level 1 a stepping stone on achieving a higher cybersecurity posture? Right now that posture might be, I’m a CMMC level 1 and I’m ISO 27001 certified, or I’m socked to a test that are on FedRAMP ATO or something of that nature, depending upon what your clients are asking you for. But, I think that if you are in the Defense Industrial Base, that very often, there are a couple of such circumstances that can occur. That we’re seeing occur and we’re talking to people. There are entities that are receiving FCI, and on occasion, FCI can rise to the level of CUI. So you have to be cognizant of that as well, is that there is the potential that right now, while your contracts are FCI.

John Verry (26:11):

So as an example, working with an organization in the manufacturing sector, that manufacturers some custom parts that go into some, I’ll use the term weapons systems, whereas going to go into weapons systems, or actually there are what looks like a commercial off the shelf product, but the government has tweaked some of the specs and the contract. The tweaking of the specs in the contract became FCI. Right. So what happened was by winning this contract, they became CUI beholden based on FCI, which is kind of a crazy idea. So, that’s one place where I think you might see it. The second thing is that, a lot of the organizations are kind of moving in a direction where they want to move upstream in what they’re offering to the government. So this idea of moving towards CMMC level 3 makes sense, and using CMMC level 1 as a stepping stone. If you’re going to do that, there’s some elegant ways of doing that. Right.

John Verry (27:01):

So what you do is you actually start by assuming that CMMC level 3 in any good, whether it’s one or three. The first thing we have to do is understand the scope of the Federal Contract Information or the Controlled Unclassified Information. And when I say scope, think about tracing the flow of data and what are the people process systems applications that it touches, right. Anything that stores or processes or creates FCI or CUI is beholden to those requirements. So that’s what that scoping exercise is. So, if you know you’re FCI now but you might move to CUI, well, then what you’ll do is you’ll actually just do that scoping in such a way that you’re accounting for both at the same time. And then, instead of just looking at the gap between where you are with those 17 practices within CMMC level 1, you’ll look at where you are within the scope of those practices for the 130 practices for the CMMC level 3. I said that a little awkwardly. Did that make sense?

Jeremy Sporn (28:04):

It did. But I’m used to your awkward talk, other people may not. [crosstalk 00:28:08].

John Verry (28:09):

Yeah, it was awkward. I recognize that. So what I’m saying is that when we get to the point where we’re looking at how your controls are implemented, and do they meet the requirements, right. There’s 17 requirements for level 1, there’s 130 for level 3. So we’ll typically do, if someone’s on a level 1 for now going to level 3 in the future, what we’ll do is we’ll do the full gap assessment or control maturity assessment against all 130. And then, when we create the POAMs or call them Gap Remediation Plans for them, they’ll be for both the 17 and then the additional 113 if you will. And then what we’ll do, is we’ll prioritize the remediation of the 17, that will get them to the CMMC level 1. So we’re ready to get to their audit fast, we’ll get them CMMC level 1 certified, and at the same time we’ll be working on the other 113. Closing the 100 and other potential gaps in the other 113 controls, so that they’ll be ready for a CMMC level 3, let’s say the next year.

Jeremy Sporn (29:07):

Makes perfect sense. And it only took a half a beer for you to confuse people that much.

John Verry (29:14):

I would actually say that’s quite more than half a beer.

Jeremy Sporn (29:18):

Sorry. Okay. All right. Well, thanks for the clarification. That actually makes you sound better if you drank a full beer so that yeah. Cool. Well, Eli Manning, this has been very insightful, as Daniel Jones, who can clearly run much faster than Eli Manning-

John Verry (29:33):

And fumble the ball and trip over his own feet at the end of the run.

Jeremy Sporn (29:37):

Eli Manning is a phenomenal fumbler. I don’t think we need to compare the two.

John Verry (29:41):

But he doesn’t trip over his own feet. We can agree on that.

Jeremy Sporn (29:43):

That’s fair.

John Verry (29:44):

That was one of the most… Look I’m a Jet fan. We like to buzz each other. And I recognize that the Mark Sanchez butt fumble is a high point in people’s ability to razz the Jets. But Daniel Jones tripping over ghosts at the five yard lines after running 80 yards is not that far away from it.

Jeremy Sporn (30:06):

Yes. The only saving grace is that they did score a touchdown on that drive. So, somehow-

John Verry (30:12):

The Patriots scored a touchdown right after the butt fumble. So, I mean, it’s the same thing, right?

Jeremy Sporn (30:16):

Sure. John, thank you so much for the time and the insights. Everyone, I hope you enjoyed this episode. Hopefully we’ll get back to John hosting these things because it feels a little awkward when I host them, to be honest with you. You must feel the same way.

John Verry (30:30):

I agree. It’s weird being in the passenger seat.

Jeremy Sporn (30:34):

Everyone, thank you so much for your time and have a great rest of your day.

Narrator (30:39):

You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time. Let’s be careful out there.