Amira Armond On Increasing The Likelihood Of Passing Cybersecurity Assessments

 

Businesses are required to undergo cybersecurity assessments to ensure data security. This process ensures that they have the necessary safeguards against cyberattacks, breaches, and data leaks. However, many fail to meet the regulatory requirements set by the Cybersecurity Maturity Model Certification and National Institute of Standards and Technology. John Riley and George Usi explore this topic even further with Amira Armond, Vice Chair of the C3PAO Stakeholder Forum and President of Kieri Solutions LLC. She explains the common challenges faced by businesses that arise during cybersecurity assessments. She explains why these problems are mainly caused by the huge shortage of institutional knowledge about this area. She also discusses how this issue seeps even into federal agencies, putting classified information at serious risk.

 

Watch the episode here

 

For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Privacy Policy.

 

Listen to the podcast here

 

Amira Armond On Increasing The Likelihood Of Passing Cybersecurity Assessments

 

Welcome to another episode. We’ve got a great guest here and she’s a search and rescue enthusiast who loves to explore the great outdoors. She’s prone to crazy adventures in life like explaining how she got impaled while working in IT. She trains canines to help find people in the forest and fell in love with the CMMC by attending an event and never turning back. Welcome, Amira Armond.

Thank you for having me.

We’re going to jump right in here with our leading question, which is, if the cyber risk was a pizza and the frameworks were a crust, what’s the riskiest topping you’ve seen and what topping would you equate that to?

I love onion on pizza and I am always afraid to order it. That would be my most risky topping. This is such a weird analogy. The reason why is because it’s very hard to trust that the pizza place will get it right. Sometimes they undercook it. You get raw onion on your pizza. Sometimes they use the very spicy yellow onion as opposed to a more savory red. Part of the reason why I bring that up is because one of the things I do in cybersecurity is I talk a lot about supply chain cybersecurity.

Can you trust your vendors to be secure? Can you trust your clouds to be secure? I’ve seen it on both sides. I’ve been the user, but I’ve also been on the cloud side. I know what it’s like on the cloud side. They’ve got servers too. They’ve got switches and workstations and regular people too. It can be as messy as your network. You can’t tell because it’s a cloud. That’s my analogy to a pizza.

 

 

I’m right there with you because I’m one of those people that if an onion is cooked, I’m okay. If it’s not cooked, it’s too spicy. I feel that and you never know if you’re getting red or white or yellow or what color of onions, that spice is it. I honestly thought you were going to go more for peeling back the layers of the onion but that’s okay. I like your analogy better.

Do you get many onion references on this one? What’s the most common?

I think that’s the first. The most common is usually anchovies, but the strangest one was peanut butter.

That’s some European pizza people over there.

You’ve heard. In my situation, we avoid onions on our pizza altogether, but we love onions.

That’s because it’s like a relationship between you and a managed services provider. It’s so scary to trust that person to do the right thing.

That’s not the reason, though. The reason is because now I have a son and when he eats, he sometimes drops food on the ground and onions for our dog. That’s why.

No poisoning the pup.

We have a dog we love a lot and the last thing we need is having her go after the pepperoni with onion that our son drops, but we’re very close. He’s not dropping as much food anymore because he is in first grade. Maybe soon. We’ll see.

Get back to those onions on that pizza. That’d be good.

I think it’s very applicable too because what your risks are and the reason, the justification. Justifications can be different, so we all have a reason.

Maybe your example could be adopting a solution that, in most cases, would be awesome, but you don’t have the tech expertise or techniques internal to take advantage of it.

I think that’s why we love this topic so much of pineapple on pizza. It can resonate in so many unique ways. Great answer, though. I did not think you were going to go in the direction with onions that you went with, but that tells me that you and I would enjoy pizza together because I have the same problem you do in terms of the onion. I love onions.

Amira, tell me, what keeps you up at night? What problems are you seeing with your customers?

For context on that, you need to know a little bit about what I do. I run a company that performs cybersecurity assessments primarily of defense contractors. What keeps me up at night is worrying that we are going to assess a company and have a very bad result because the company fundamentally does not understand cybersecurity or what they’re getting themselves into by requesting an assessment. It’s very ironic that a company will say, “I want to give you money. Take cybersecurity people and review me.”

When we start the process and we go, “We’re going to do this. Where’s your inventories?” they go, “What? What do you mean? I need to know every computer that’s on my network?” We go, “Yes, that’s step one.” It starts going downhill from there. I put out a lot of free content to try and explain the minimum standards what an assessor’s looking for and what you need to do to prepare for cybersecurity if you’re a defense contractor. It keeps happening. The message hasn’t gone out yet, so it does keep me up at night.

I can understand that and we’ve seen something similar along those lines. Tell us what some of your biggest challenges are in meeting regulatory requirements now. You’re doing the auditing of that and you mentioned that the first step is an issue. What do you see companies struggling with beyond that?

In our area, you might have heard about the CMMC, the Cybersecurity Maturity Model Certification, which is the Department of Defense’s answer to supply chain cybersecurity. They’re basically telling defense contractors that they need to be third-party assessed by a qualified cybersecurity assessor to verify that they’re performing the 110 requirements that have been defined by the National Institute of Standards and Technology.

There’s a lot in that sentence, sorry. NIST, National Institutes of Standards and Technology, wrote a document that said, “Here are all the things you need to be doing for cybersecurity.” We come and assess that. The challenges that we are facing as assessors is we lack guidance from the Department of Defense about how to handle situations where there are external service providers, such as managed services providers, managed security service providers, the guys that do the audit logging and the instant response or clouds, such as Microsoft 365 or AWS.

Those are well known, but we also run into situations where people have engineering clouds or architecture clouds that they use, which are not well known. The DoD is basically saying all of those external service providers need to be secure themselves. That’s great. We don’t want the managed service provider to be hacked and then all the clients get hacked. They’re also not encouraging anyone to assess those external service providers yet. We don’t have a method to verify their security other than assessing them as part of their clients, which gets very ugly from an assessment standpoint. I don’t want to be assessing two completely different networks during the same assessment.

 

For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Privacy Policy.

 

They can make it even more difficult because then they’ve got another 30 or 40 or 50 or 100 clients beyond that, the MSP that could have that. That’s a moving target.

We are expecting the DoD to release guidance on that question, though. They’re supposed to release a big regulation that says how to perform the CMMC certification process. I’m over here crossing my fingers, hoping for some clarity.

That would be good. In the assessments that you’ve done, out of those 110 controls, which ones do you find is the struggle to get implemented the most?

I’m not going to say about my own personal experience but the Department of Defense released a presentation about their statistical analysis of assessments performed on defense contractors using the same requirements that I use. The number one hardest requirement, which a huge percent of defense contractors don’t need it, something like 30% or 50% of them, is the FIPS-validated modules for cryptography.

Let’s back up. When you have data that you’re trying to protect, you’re protecting it either by encrypting it onto the hard drive or encrypting it while it passes across the internet. To do that, you’re going to use an algorithm such as AES or triple des or whatever the algorithm is, which is the mathematical equation of encrypting the data.

The federal government, via NIST, their standard for encryption is to use a program, a module, an app. Not just the code but an end-to-end application to perform the encryption, which includes the algorithm inside of it. They say you have to use a validated module. The problem is it takes perhaps three years to put a new piece of software or a new piece of hardware through that validation program and it’s costly.

 

For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Privacy Policy.

 

For example, Windows, which everyone uses, including the government, the last version of Windows that was FIPS validated was Windows 10 from 2018. Technically, anybody using Windows is either missing a whole lot of critical patches or not compliant with FIPS, including the government themselves. It’s a horrible requirement.

One of the very cool things that happened is NIST released a draft version of that 800-171 document, the one that has all the requirements in it. They changed the wording of this encryption requirement so that it seems like you might be able to avoid using a FIPS-validated module. You might be able to use other algorithms or other types of encryption and that’s very exciting.

I have seen some of that myself and dealing with the FIPS modules. They’re not easy to configure or get things running on either. That’s wonderful information and you read it here first, how’s that? I don’t know. Maybe not. Maybe you folks did a press release.

You had asked what other major struggles do defense contractors have with cybersecurity. A couple of other ones, and this wasn’t a requirement, but it’s a prerequisite, is virtually every defense contractor has trouble identifying the information that they’re supposed to protect. They’re supposed to protect a category of information called Controlled Unclassified Information, which is basically information that fits into a protected category.

It could be privacy data, health records or some cool stuff like here’s how to build a tank, how to build a missile, how the satellites are deployed because we’re talking about Department of Defense stuff. That information can come in many ways. It could be sent via email. It could be in a Word document, in Excel, in program code or a drawing.

When you get away from the pure document format, it gets harder to label it appropriately. Most people don’t know how to put a label onto software code, for example. How do you label a database? Very hard to do. When they share this information, they need to share it with the contractors so that they can build the missile, the tank or the satellite, but quite often, even the government forgets to label it appropriately.

The contractor has this thing that looks awfully important, but it doesn’t say that it’s CUI. That’s an issue that literally 90% or 95% of defense contractors have. There’s no great solution for it other than having meetings with your customers, the ones that are sending you the information and saying, “Let’s work this out together. Let’s figure it out,” because everyone’s having that issue. That’s not even CMMC or 800-171 requirement. That’s a prerequisite to getting to the assessment.

The other major requirements that people tend to miss are typically from misunderstandings in my book. Things like how you apply the audit logging requirements, instant response testing, configuration management and inventorying. The requirements when you read them, at first glance, seem pretty simple. Have an inventory.

However, when you dig into how they are assessed, we could take that, have an inventory, and split it into six different things you have to do. Those are yes or no questions and they’re very stringent. Have a baseline configuration. What is that? The baseline configuration has to include six different things and it has to be shown to be modified over time. Now we have the inventory. The inventory has to exist. Most people have the inventory part. That’s great, but that needs to include six different types of information. Most people don’t have that. The inventory has to be maintained over time. Maybe, or maybe not. That’s one of the 110 requirements.

When we get to assessment readiness, it’s way more detailed than most people realize, but it’s not that much harder. Performing an incident response test is not that hard. I can lead one. I can run a company through a test in about three hours. We can get it done and then you’re done for the year. Most people don’t understand how to do it and what qualifies as a test. You’re laughing, John.

I’m laughing only because I agree with that. They don’t understand or it depends on who you’re working with. It depends on how technical they are because what I’ve seen is if there are technical questions, there are business questions and so getting the right people in the room helps. Even then, a lot of times, it’s, “I need to go find something or I need to go look,” or it’s not at the tip of their tongue or their fingers right there. I’ve seen them take quite a bit longer for audits like that, weeks sometimes, because they’re trying to gather data or they’re trying to fix it as they go along. “You asked for that,” then they try and fix it because they didn’t have it.

 

 

Personally, I hate to mark somebody not met because they’re missing a sentence in a policy. There are many cases with the type of assessments we do where one of the things we have to check is do they have that sentence written somewhere. It’s so simple, so easy to do, but people don’t realize that they have to have a sentence written down.

I think it’s a big piece of the equation that doesn’t apply just for CMMC but also for Omnibus privacy laws as well. There are organizations that are duty subcontractors that are potentially collecting personal information as well. We’ve had instances where we’ve had some teams that, “We wrote a 27,001 policy, so we’ve got that base covered. We don’t care about what in 800-171 because the 27,001 should work.”

It’s basically the same as saying, “I’m based in Texas, so I don’t have to worry about California privacy laws.” If you’re doing business with taxpayers in California, yes, you do if you’re under a certain threshold. I think that lesson applies across what essentially are both, what essentially we would say are frameworks as well as regulatory and statutory requirements in general.

That’s always been our biggest challenge. That missing sentence is often written off as, “I have it over here, so that should be fine and this other thing that I’m dealing with.” That’s where it gets a little messy. I’ve got the same challenge with the cyber risk side of the GRC function and such is bigger than CMMC.

If you don’t get CMMC right, it affects your pocketbook as a business significantly. If you miss something and now you can no longer bid, that’s bad news. That’s a revenue problem. That tends to be the bigger concern. How is some regulation or risk going to impact my revenue? We’re hopeful that the mindset isn’t just revenue.

People want to do the right thing, especially when nobody’s watching. You have to know what to do without being told what to do when it comes to the cybersecurity side of things in a business. Often, a lot of education is required, is what I’ve learned. What has been your experience on the educational side in terms of bringing people up to speed?

There’s a huge shortage in institutional knowledge about cybersecurity, especially the federal government cybersecurity. Going back to what you mentioned about companies, this is a threat to their business if they don’t pass the assessment. That is for defense contractors. Honestly, if you’re a federal contractor, this should also be something on your radar because it’s coming, but for defense contractors, this has come. It is imminent that if you cannot pass a CMMC assessment and perform all the requirements, you will not be eligible to win new contracts.

My little company, I’m not a defense contractor, but I had to pass the CMMC assessment with my company in order to do assessments. I feel it because a few years from now, I’m going to have to get reassessed. If I fail, my company will stop. We will not be eligible to do work anymore. It’s as imminent a threat for us as it would be for a defense contractor. When the requirements change over time, the DoD issues new stipulations, “You have to have this from clouds. You have to have this from a mass service provider,” every single say is a real threat to my entire company. I have sympathy for the defense contractors.

 

For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Privacy Policy.

 

With education in regard to CMMC and 800-171, which is that source of the technical requirements, if you have a strong CIS admin background, you can generally start saying and make sense of this stuff. It does help if you are a cybersecurity expert and you focus on the government’s governance risk and compliance side, then you’ll have somebody trying to teach you it, hopefully. A lot of it is being embedded in organizations that are doing the security at the level that’s needed and seeing what that looks like.

For me, I spent most of my career as a system admin. I was a little help desk key person, system admin, and then I moved into more of a systems engineer integrator architecture role over time, but it was always working with the Department of Defense. I got to see what that looked like, what vulnerability scanning looks like, what user access looks like and how they handle privileged users. That gave me a huge amount of context for what the federal government expects from their defense contractors.

Going back to the shortage in institutional knowledge, you have to have somebody with that level of knowledge in your organization to be successful. You need to have gone through an assessment to realize how much you don’t know. That takes time. One of the things that would make the CMMC program hugely better is if they could phase it in. Not the way they’re doing it now, which is they’re phasing it in on this contract or that contract, but if they phased in the percentage requirements, you need to do to pass.

If they made it, everyone has to do it now. Let’s release it out, but you only have to do half the requirements. In a year, you need to do 60% and in another year you have to do 70% and in another year, you have to do 80%. Within about seven years, everybody’s going to be running at 100% but they’ve had the easy assessments and they’ve had the time to build up that institutional knowledge.

We’ve been able to deploy it because people can pass, which is a struggle now because the DoD wants people to be basically perfect to pass. This means that they have to be very careful which contracts they require it for because if they require now, they might not have anybody bidding on the contract. They’ve made it so hard that they can’t push it out in pursuit to perfection. Whereas, if they accepted not great, in about 5, 6 or 7 years, they could reach that perfection state.

 

For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Privacy Policy.

 

I think that’s a valid point, but as you mentioned, I do wonder and this is me positing what I think the problem might be, is leverage procurement that we’re talking about contracts. Bringing up an entire contracts administration group and any public sector entity, for something to change every single year, it is not going to pretty for a lot of the leverage procurement that’s out there. That’s the struggle. It is changing. I agree that it would be great if it was done in steps. I don’t think the procurement function now is prepared for such a situation. The question then becomes, how do you make sure procurement can keep up?

I do have a simple solution for that. You simply say they need a CMMC certificate issued by an assessment organization and then you tell the assessment organizations this year, they only need to hit 50% to pass to get their certificate. The next time you assess them, whatever year it is, they have to hit that percentage. The procurement officers don’t even know. They just see the certificate and they say great.

With the percentage. That’s a great answer. Can you hang around at my house for a while because you can come up with some good answers to the problems I’m trying to figure out? How do you make this easy for nontechnical people? We’re all working on this and let’s face it, everything with a blinking like it’s tossed over to the fence of the technical people. You start getting into interdepartmental issues, especially the case in cyber risk situations.

Sometimes, somebody in marketing makes a mistake and violates some statutory requirement or procurement in most cases, which is where a lot of these enforcement points tend to exist within the CMMC and also in the private sector as well. We’re seeing more callouts and contracts and those sorts of things. It’s a difficult ballet across the board, but I love that idea.

I can understand where people come from the, “You have to be perfect. You have to be doing all the cybersecurity to pass,” which is they don’t want to be on the hook if somebody gets hacked. They said that was fine. You don’t have to have antivirus. That’s fine, then they get hacked and there’s news and somebody gets in trouble. It looks bad, but at the same time, the entire concept of risk is making a judgment of what is acceptable and what is the most effective and efficient way to handle it. Requiring all risks to be stopped at all costs will either bankrupt us or we won’t be able to do work. There’s always that sliding scale of finding what is functional and what is cost-effective.

 

For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Privacy Policy.

 

This could be a four-hour episode speaking with you, I can imagine. I don’t think we have four hours, but I feel educated. Thank you so much. At least in terms of the ways to tackle the problems requires critical thinking amongst multiple folks with different experiences. Your experience clearly has tremendous amount of value in terms of understanding how to tackle some of these more difficult issues of procurement.

We’re hopeful that somebody at NASCU or some of these other leverage procurement bodies who are tuned into our show. Obviously, the CMMC got a designated audience and we probably have a few of those for sure. Hopefully, people will listen to read and learn the same way that I did, so thank you. John, I can’t seem to bring up the rest of the agenda on my side. Where are we at this point?

Amira, how do you think things are now? You’ve described how some of the plans there. Do you think that most companies are going to be able to do the reach this level of achievement or do we need to do that 50% now? How long do we give them? What do you think on that? What’s that future look like?

I am a big mouth. I talk a lot. I’m willing to give out unpopular opinions and I am very thankful and grateful that nobody has struck me down in retaliation. The DoD has heard all this stuff before, I think. I and about 30 other C3POs, we proposed that 50% to the DoD years ago. We sent them a letter and they said, “Thank you very much.”

I sit here thinking if they had started with a low bar that companies could pass years ago, we would already be up to the 80%. We’re still in this situation where we’re afraid to impose the requirement on companies because again, we might not have any contractors available because this is very hard to do. The largest companies can generally pass the CMMC assessment. They have the money, especially the biggest defense contractors. That’s all they do. They have very secured networks. They’ve been doing this for a while. They’re awesome.

 

Cybersecurity Assessments: If CMMC had started with a low bar for assessments that companies could actually pass three years ago, passing rate would be up to 80% right now.

 

There are very large companies that I work with. There are a few Fortune 100s that I work with. They couldn’t pass one now, then that extends down the line to the medium size companies and the smalls. The real pain is being felt by the small companies. About once a week, I get an email or a call from a very small company. I have ten employees. I am a manufacturer. We cut parts out of metal and we’re being told that we need to do CMMC level two and my profit for the year is $100,000. How do I do this? I don’t have a great answer. There are ways to get help with this. Not financial help at this point, but there are ways to leverage other companies’ expertise to do it more efficiently.

There are large mass service providers that focus on CMMC. If you pay them money, they will do all the CMMC things for you. They will build a new network for you. They will manage it. They’ll give you new computers and it will all be secure, but it will probably cost more than that profit margin for them to do that for you.

A ten-person company might be able to do it, but when I get the call from the two-person company, I don’t have an answer at all. For those folks, possibilities are talking to your primes and asking if you can use their system. Could I bid $3,000 more per year and you give me a computer to use, for example, or is there any way that you can keep the CUI over there and I can look at it with my eyeballs, then I go back to do the work?

There are ways of thinking your way out of this, but there’s a surprisingly large amount of companies that are running on Gmail.com email and personal MacBooks that have CUI who don’t have any security. Maybe they have an antivirus, maybe. That’s how they’ve been operating for years. We need to fix it. You shouldn’t have that data on these insecure computers, but at the same time, they don’t have the means to fix it themselves.

 

Let me ask you this. Are there any events or books that you would recommend for people to learn more about this?

One of the best events is the cloud. It’s CS2, so Summit 7. They’re a mass services provider that focuses on CMMC. They have events maybe three times a year and they’re called CS2. You can Google it. Those are probably the best source of information. I’m a little bit biased because I’ve been asked to speak at a couple of them, but good quality information. If you are an IT person or a cybersecurity person at a company that needs to do CMMC, I recommend getting training to be a CMMC-certified professional.

That’s expensive training. It’s a few thousand dollars. The other option is to go buy a book. Edwards Performance Solutions offer the certified CMMC professional book, which is like $100 or something. That’s a good source of information. I’m also biased for Edwards because I teach CCP and CCA. I teach the certified professional as well as the certified assessor courses for them. I’ve taught a little bit more in 200 assessment students at this point. They do have good curriculum.

Tell us about yourself. Let’s switch this around a little bit. How does one get into this, the cybersecurity? You gave us a little bit there of starting as a help desk person, this admin, systems engineer and moving your way up there. Is that the suggested route that you would suggest for somebody that are 10 or 15 years old now, looking at a cybersecurity professional career, start off as a help desk and move your way up?

For the fifteen-year-olds out there, for me, one of the things that worked when I was in my early twenties was I worked for free. I had a job at a help desk, but it was a big organization that I was working with. They had system admins and engineers. When I finished my day at the help desk doing password resets, I walked across the hall to the system engineering department and I spent two hours doing free work over there, building servers and setting up databases and that was invaluable to me.

Now most people can’t afford to lose their income, so I understand that but it was very helpful to me personally to volunteer and get exposure to that stuff that I would not normally be allowed to see. There are a lot of people that go straight into cybersecurity. I appreciate the folks that spend time as system admins or network admins who’ve had exposure building and operating the system and having to support users and have the users be functional.

As opposed to people that go straight into cybersecurity because it gives you such a better understanding of what it takes to not be secure but not breaking the network, not taking down the business and what’s a reasonable approach. Some of the best cybersecurity people that I know have that broad experience and it’s so helpful.

Need to have some application experience, network experience and system administration experience. It helps to understand how that goes.

I am a mentor for a workforce development program regionally. One of the things that I’ve learned is that a lot of the cohorts are struggling with which path do I take? I got to the point where I had to explain to them, “We’re all worried about hackers. The villain is the hacker.” I think a lot of people portray the hacker as a criminal with a hoodie.

What we’re missing is that they’re arsonists too. If you think about that industry because they set these little digital backdraft fires where you don’t know you get hit and they set the fires and they hold the match over the data, “Pay up or I’m going to drop the match,” concept. It’s like learning to be a firefighter. You’re not going to get in there and fight the fire on day one. You’re going to have to carry hoses. You’re going to have to do other things first.

 

John’s point of you have to do a little application, a little bit of system and a little bit of network. I do believe to some degree, there is a rite of passage in that approach. You do have to get your hands dirty in as many places as possible. I love your approach because, selfishly, I did the same thing. I worked for free when I got started and it worked out well for me. I also had a great helper and technical mentor who happens to be here with us. He and I have known each other for some time. He was the guy helping me out on how to learn the tech and carry the hoses and how to fight the fire, so to speak.

Should I get us all in trouble and ask whether cybersecurity can be an entry-level career?

It can be, but it has to be something in writing. If you’re a great writer, that’s where we suck as an industry in general. Let’s face it, a lot of the people that became tax have conceded to me many times. I couldn’t pass that damn English class back in college. I do not want to write. There are probably some good opportunities in what essentially are the data privacy side of the house that you could start without having a ton of experience and not having to know, let’s call it the ground words tech. I think very specialized. You’re going to struggle if you try to break into other areas. When you start to get it, your hands in the weeds. It’s going to be a challenge, though. That is probably not the answer a lot of entry-level cybersecurity people want to hear.

John, what do you think? Can cybersecurity be entry-level?

In the practice? No, it is very broad and you have to have some experience. You have to have some of those knocks of asking for money to fix a problem and not being able to get the money, from a CFO or from without having a business need or what they feel is a valid business need there. That’s from a management standpoint. There’s the technical standpoint of understanding the basics of how to get a packet from point A to point B. When you talk about entry-level, you’re going to start off on the help desk, even at cybersecurity from that standpoint. There’s a right of passage that you got to understand.

I love what George said where you can get into a cybersecurity job doing documentation. That is one of the places where you can succeed and you can start learning from there. If you read all the policies enough times, you start understanding the expectations then you can grow from there. In many cases, and I know there are people screaming at their screens now, in my opinion, cybersecurity is the entry-level cybersecurity is on top of you’ve already had experience in all of those other areas of IT, system administration, networking, development, incident response, web applications, for you to understand and be able to speak to an actual information system, which has all those things in it. You need that foundational knowledge.

 

Cybersecurity Assessments: To be able to understand and speak to an actual information system, you need foundational knowledge about system administration, networking development, incident response, and web applications.

 

We’re all on the same page in that regard, some places exist. For the most part, if you’re super geeky or think you want to get into something super geeky, you love the cybersecurity concept. You have to go through like a junior firefighter. Hackers are arsonists. We’re not going to put you in front of the fire on day one. You have to be a junior for a few years and learn how to clean the engine and do all those things.

It’s a great analogy, but the challenge always becomes looking at our paths. There wasn’t an internet for me growing up, so I have to look at the consideration of how our assumptions or even with the data that we have that indicates that the starting levels, you got to write a passage first. We might be missing something. I hope we’re missing something, but the evidence now, all the workforce development programs, including those with missed, seem to indicate that it’s tough to get started without that experience first. It is. The data shows it.

Amira, a couple of quick questions here because we’re running out of time. One is, how can people find you?

I am on LinkedIn. I’m the only Amira Armond. I also blog at CMMCAudit.org. That’s a free source of information. You don’t have to put your email address in, which has a lot of good info about defense contractors, cyber security and links to official sources. You can go to my company Kieri Solutions. If you’re interested in CMMC assessment, assessment prep or documentation, compliance documentation or consulting to help you get ready, Kieri Solutions is the right place to go.

One final question for you, which is, what do you do outside of work for fun?

I enjoy dog training and I do search and rescue. I’ve been able to combine the two. I have a German Shepherd who is convinced that if I tell him to go find somebody in the woods, that the next person he finds is going to have the greatest toys and party ever. He goes running off looking for anybody out there and he comes back and tells me if he finds them.

Perfect. There are some people that I could probably like to train for that too. We’ll talk about that at a different time. Amira, I appreciate your time. Thank you very much. To our audience, we’d like to thank you for reading and if you’ve learned something, laughed and decided you want to do more controls, let us know or give Amira a call, but also tell somebody about this show and that’s it. It’s been another episode. We’ll see you on the next episode. Thank you.

 

 Important Links 

 

About Amira Armond

Amira Armond is the vice chair of the C3PAO Stakeholder Forum, the president of Kieri Solutions (an authorized CMMC assessment organization), and the chief editor for CMMCaudit.org.

Kieri Solutions is noteworthy for passing their C3PAO CMMC Level 2 assessment with an enterprise system that is being used for real work, with a part-time IT department, following plain-language policies and procedures suitable for small business.

Amira Armond is a CMMC Assessor and Instructor and is an active speaker and blogger for cybersecurity and compliance. Her company provides assessment, consulting, and training on NIST SP 800-171, CMMC, and secure systems architecture to clients ranging from Fortune 50 companies to small defense contractors.