Thank you everybody for joining our talk today about a defensible CMMC program and the false claims act. So I'll introduce myself, and then I'll hand it over to Doug. So my name is Greg Peterson. I'm a principal consultant at a company called Arkon. We focus on cloud security compliance, and, we really focus on a lot of federal work with CMMC and FedRAMP. And so I've been doing IT for about thirty years, about twenty five of it in security. And, Doug, I'll hand it over to you. Awesome. Thanks, Greg. Pleasure to join you today as well. I'm Doug Barbin, president of Chillman and Company and and national managing partner here. I've, been with Chillman for over sixteen years, variety of roles in starting services, overseeing all service delivery. Key focus of of late has been CMMC and the work that we're doing in the federal and the DOD, DOW space. And so, yeah, excited to be here and talk about this, this particular topic. You know, the false claims act, you're not we're not here to give you a legal briefing per se. We're not we're we're also we're also not here to scare you. I think what you see here on this platform on LinkedIn a lot of times is, you know, you better do this or else, you know, type of things. And and I think that that the nuance of what we're gonna get to and and and talk to here is when we talk about a defensible security and compliance strategy, it is it is when something happens, when someone asks questions or starts poking, what what's your defense? Like, in your defense should be a good foundation of a program. Right? And so that's what we're gonna talk about. Looking beyond the the the the checkbox mentality to what is a truly robust CMMC, you know, insert any other kind of compliance, but was we're we're talking here about CMMC in the context of the of the false claims act in in in DFARS. And so, Greg, I'll I'll fire off the first question to you. I mean, when a when a when a defense contractor first engages you for for for CMMC, how often do you think they're thinking about this topic of defensibility versus I need to get certified to check this box to win this contract, right, type of of mentality? Sure, Doug. So most of the time when we see clients come in, recently, the rules on CMMC have changed. And so now you actually have to go through a c three PAL and get an assessment where people were doing self assessments previously. And this is bringing a lot of attention to people on, oh, somebody's actually gonna check what I write down and then certify me. So the big concern we see right now is either they self assessed and they really wanna validate before they have an assessor come in, or they haven't even self assessed and it's a new one coming into them. The main concern always the main concern is how quickly can I get the certification because I'm contractually obligated to get a certification? Sure. What they're not really thinking about is what you just said is the defensibility throughout the entire project and program on this case. So when they come in, they think this is a point in time assessment, like an ISO twenty seven thousand one or SOC two, and, they don't think their way through, even those those programs require you to continue the, maintenance of it throughout the year, most people just see it as a checkpoint when they come in. And what we really try to get people to understand, especially when they come in for advisory services, is this is a shift on how you do business. It's not a project, a we're gonna get CMMC and the projects done. This is more of a program base. You're gonna have to start a program and move your way through the program for from this point on as long as you're CMMC. You're gonna have to prove over time that what happens in the audit, which might be one or two weeks, is happening the other fifty weeks of the year. And, when the Department of Justice is looking at any of these false claims acts, and we'll get into that a little bit more, but they're looking at the entirety of what you're doing. They're not just looking at when you're assessed on that. Any thoughts on that, Doug? Yeah. So let me pull on that just a little bit. So were you are you implying that that in certain cases, passing a c three PAO audit could create a false sense of security, right, or a false sense of compliance. Right? Because it's at even the audit itself, even the CMMC audit itself exists at a point in time and is an every three year thing. Right? So so how do you how do you look at things like annual affirmations and so forth? Is that is that is that where you're getting at from kind of the programmatic and the defensibility piece of it? So To an extent. Yes. Yep. So, obviously, you're gonna have your annual affirmations. You're gonna go in and say you're doing it. Somebody's gonna sign, and we'll talk about signing on these as well. Yep. But, really, it's a fundamental shift. So when you go through CMMC, there's a hundred and ten controls. Some of the controls are unless it's talk logging and monitoring. You're supposed to continue to prove that you have logging and monitoring meeting the schedule list defined in there throughout the entire year. That's right. You're not and most people will look and say, okay. We have it now, but are we doing this? There's some quarterly things you may have to do. There's some things that you must, continue to document throughout the entire year to prove you're doing it. A lot of people will look at it as a program. We've got CMMC now. We're good, and they stop funding or paying attention to all the evidence because, ultimately, it comes down to evidence. And if something happens and they come after you, documentation is your friend. Nobody loves documentation, but it is your friend. That's right. Because a prime, who could challenge you or report you to to your point to DOJ. Right? That's they're gonna come in x number of months aft even if you even if you were able to, quote, unquote, survive and have a clean audit as of that point in time. Right? You're gonna get you may get looked at x months down the road. And and to your point, if if if you stopped logging the day after the auditor left, you're probably gonna be in in trouble. Right? You know, type of type of thing. And I think that's I think that's an important aspect to this because it is exactly point that you've been making is that if you are called to the carpet by DOJ or else was, they're not just gonna look at the assessment that was done. Right? They're they're gonna look at at what you've what you've done since then, excuse me, and what you continuously and and what and what you continuously do. Right? So That's fair. This is a program. This is not just a single project. Doug. Well, Doug, I'm gonna throw a question off you. So Sure. Like to do parallels with other programs. So HIPAA's out there, health insurance affordability and affordability act, and, it has audited programs that still collapse. So if there's the department of health and human services comes in and looks at you after a breach, they can see that the programs are not fully compliant on there. So just using that as an example, most people have heard of HIPAA. As an auditor, what lessons do you think a CMMC program should be taking from that? Yeah. I mean, there there there's some stark differences as you know. Right? Like, CMMC has a certification. HIPAA doesn't really. I mean, there's high trust and there's other mechanisms to prove to prove adherence. But here's the interesting thing. I've I've always been in the camp even going back to PCI. Having a compliance program doesn't guarantee that that that that an incident isn't going to occur. I mean, if if if if it was, the compliance requirements wouldn't include incident response plans and logging and things and things like that. Right? So I think that what what what we've seen in the learning from from HIPAA and in particular the OCR audits that that that HHS has done. And they do typically come in after there's been a breach, after there's been, you know, something that's occurred. In many cases, yes, to your point, they identify weaknesses and vulnerabilities that that should have been addressed that were ultimately the root cause of the incident. In other instances, they're coming in and they're looking and they're seeing, okay. You did have a program. You did have an incident response plan. This was this was a sophisticated actor. You responded the best way you could have potentially, you know, responded. Right? And then as a result, you you you you kind of follow the reasonableness approach to say, yeah. You've got a defensible position. So look at my program. Look at look at the logging. Look at my incident response. Look at what we did. But also imagine what would have happened if we didn't have that program in place. Right? And I think that's a that's a very important parallel here because if something happens or even if it's just a challenge, right, you're going to you're going to get you know, ask these questions as to what you had in place to reasonably, you know, to reasonably kinda protect yourself. Right. And I'd like to I have a big background in PCI as well, and I've seen companies go through PCI assessment and be PCI certified, get it breached the next month. Yep. And PCI will immediately say you're no longer PCI certified. You're gonna have to go through certification again because it is a point in time. All these assessments are a point in time. It's up to you to maintain them. And, for HIPAA, you don't get treble charges on your penalties like you do in the fair, false claims act. So that's something Right. A little bit of difference between it. It's much more expensive Yep. That's right. To false claims. Yeah. So let's let's let's let's dive, let's dive back into that a little bit more. Right? Because I think that's an interesting, interesting aspect. What from your perspective, what what does what does FCA exposure? What does that really, really look like? So we've seen cases. We've seen we've seen examples of this. Right? What does what what is that within the, you know, within the realms of what we're talking about here for CMMC? So Okay. Sure. So let me go. I'm kind of a history nerd. So the False Claims Act, that came out actually around the civil war, and that was used actually to prosecute, suppliers that were giving the Union Army, invalid invoices. And they still use it today. So it's been around since the eighteen sixties, and it's still used today on basically anything you're misrepresenting to the government. So it's an antifraud tool out there. And if you know knowingly submit a false claim for federal payment, you have suddenly hit the false claims act on there. So it is a civil law. It's not a criminal law, but, obviously, there are criminal laws around it. But this is a civil law that comes out. And so anytime you get any money for anything, for a grant, for a contract, and you misrepresent, you are subject to the false claims act. And it has trouble damages, as I mentioned before. So it could be anywhere from fourteen to twenty eight thousand, dollars per claim. And a claim can be every time you submit an invoice, every time you sign your annual, affirmation. So if you sign your annual affirmation and then you send twelve months of invoices, that is thirteen separate claims they have against you if you're misrepresenting. So that's what the false claims act is. Now what triggers it? If you get breached, they're probably gonna look at you, but being breached doesn't always trigger it. The number one way people come in for false claims act right now is whistleblower. So as a whistleblower, I can get a percentage of what's charged. I think the largest whistleblower I've seen, somebody made one point five million dollars by reporting their employer, on there, And that is the main method of it going through. So you don't have to be breached. This can happen at any time. This is something you have to protect yourself from. And you don't they don't have to prove that you had an intent to lie. They just have to prove that you misrepresented That's true. What you're doing on there. Yep. And so if you start looking, this is a false claims act. The depo DOJ is the one that generally enforces this on there. Now we are seeing it. It has happened everywhere. This is not incredibly common where we see hundreds of cases a year, but they do actually go through and do this. So what we're seeing is and I'm gonna run through just a few companies. I took some notes on this that went out there. So I'm just gonna call it Morseco Corp and the SPRS scores, and we'll talk about that. An employee actually knew they were inflated, and so they reported them to get a percentage of fines on their Georgia Tech, so university, members of cybersecurity team itself, the people running the program reported it on there. Illinois machine shop is out there. A quality control manager who wasn't even an IT reported it, and they got charged, and they were a machine shop. They got charged almost half a million dollars on there. So it doesn't matter how big or small you are. The fees aren't according to it. Like, some of the, different ones out there that go off a percentage of revenue, this is not that. So if you're a small shop and you sign off and somebody disgruntled in your company or leaves your company or you let go reports you, you could be fined your annual revenue or more than your annual revenue. So those are some examples. This is really the reporting is an insider threat more than a breach. As, Doug, you mentioned, the primes can actually come after you and Right. Happy to prove stuff. Just from your point of view, what have you seen with the primes doing on this versus actual insider threat? Yeah. I mean, the the that's a great question. And and the and the primes in particular have a lot of, have a lot on their plate from a supplier management perspective. Right? I mean, a lot of times, we can look at this over, you know, simplistically and say, yeah. We saw the notices that the, you know, the the the Lockheed's or, you know, some of the other providers put out there on the Internet to say, all of our suppliers need to be CMMC, you know, level two. But but but if, you know, there's a whole other universe not universe, but there are other tiers of supplier management within these large organizations. Right? Companies that may not handle CUI today, but could. And, right, and the and the big and the and the suppliers need to understand perhaps where they are on the path, and could this be a supplier that could handle CUI, and what would it take to get them to level two? Things things like that sort of my my only point there is that the supplier networks are are are far more complicated even for for mid tier DIP companies, you know, than just going through and saying, does everybody check the box from a CMMC perspective? I do think though that the the supply that the the the the super prime the primes carry, you know, obviously carry a lot of the liability when it comes to the overall contract vehicle. Right? So they're they've they've got incentive to make sure that their that their suppliers are are responsible, and and it's not even just, you know, getting getting a fine from a false claims act. You're spot on. Right? That can put a a small sub, you know, out of business. But in addition, the the you also have to confit you know, you also have to consider the the impact of what the that business, that contract is. Right? Because if if that if a if a if a supplier or a sub, you know, falsifies or or misrepresents, you know, misrepresents, you know, information about their compliance and protection of CUI, that can work its way all the way up to DOD, DOW. So then you've then you've got the con the the greater contract is at is at risk as well. And so I I again, I think the the the the the prime contractors are definitely worried about this because they know one way or the other, they're gonna get they're gonna get pulled in. They can't just point to the they can't just point to the sub. Right? And I don't even think they can just necessarily point to the sub and point to their even their CMOSC certification. To your point, they need to be comfortable that there's an ongoing, you know, that there's an ongoing program there. So it's a lot that they're it's a lot that they're juggling right now. They've got a big they've got a big job today. So And I will say, as you look at it, so the primes have people and money to run a program. They have subs. Those subs may have subs. And if you're a small machine shop, you don't have the resources as much as a Prime does to validate that you have this program in place. Right. And is that's really when we start getting to people signing. So there is a personal liability that comes with the person that signs off on your annual affirmation, which we'll talk about in a bit. But when you're a smaller or a midsized shop, you may not have a GRC team. You may not have a a government or even a full security team on there. Yet to handle any data that requires you to have a CMMC certification means that you are stating that you do have these programs in place. That's right. And I there's, I think, eighty thousand plus companies in the defense industrial base, and most of those will have to go through CMMC certification. Yep. A lot a lot of those are very small, companies that are signing something that's stating they are CMMC certified, but they may not have the resources in place to continue throughout the year going through all of the documentation, all the reviews, everything that you have to do to maintain CMMC. And those are the ones that when they start signing off, they can actually have the biggest risk. It could be an existential risk to the company because they are just much smaller. And this is something to think about when you sign off on this, which I'm sure, a lot of smaller companies just want the revenue and they don't think about it. But once they have to start going through assessments, they realize, hey. If I sign this, I'm personally responsible for at least the misrepresentation I'm making. Right. I will say, and I'll just kinda run through, an assessment. When you get an assessment, it's a great start because before you go through an assessment, you have to do a gap assessment. And this is Arkon does this all the time. We'll go through and say, this is what you need to have in place to get through an assessment. This is where you are now. Let's fix all these issues. So just to get through the CMMC certification means you've already fixed everything to get yourself to where you can get a passing score. And then and I'm just gonna reiterate this. A lot of companies don't foresee this as an ongoing thing that they're gonna have to commit resources to the rest of the year to meet it on there. And when you get the certification, that's almost the easy part. It's not easy, but it's almost the easy part because you've gotta maintain it going on. And if you if they ever come back and, let's say, you have a whistleblower or for some other reasons you're investigated, investigated, you have to prove with documentation that you have everything in place and you didn't have risks that weren't addressed, everything going on. So, that is just from a big picture. Yep. The big concerns I see is companies that are coming in have to do it. They don't realize what they're committing to when they sign off on this. So you bring up an interesting point. So certification itself, level two certification became officially done last year. Right? The year before that, we were doing them as joint voluntary surveillance, audits. But the but the requirements of for NIST eight hundred one seventy one under DFARS had been in place for for some time. Right? The annual affirmations and things like that, those are those are things that have been in those that's not a net new thing, right, for for for for CMMC. You you are responsible for it hearing or is the is because I don't think the annual affirmations is is a is a net new thing. Right? Spurs scores and those those things, right, the contractors have been doing for some time. I will say that we what we've seen that's interesting, though, is and you brought up some very good examples for false claims. Like, the the number, I wish I had it in front of me. The number of false claims acts in twenty twenty five were, like were they, like, twenty or thirty times the number that they were in twenty twenty four? Right? So they've stepped up. DOJ has stepped up and Most fifty two million last year. Yeah. Yeah. Fifty two million in dollars that I don't know if you remember or if you have what it was in twenty twenty four, but it was but it was dwarfed. I remember I remember going to, I think it was, CY, Kui Khan, whatever you call it. They they there was a there's an attorney there that presented, and it was it was the number of cases in twenty twenty five was just astronomically higher than the number of cases in twenty twenty four. So we will continue to see that. I think the point I'm I'm trying think we're trying to make, right, is the the requirements are there, you know, for, you know, for working in the div and for handling CUI. And it and it's easy to say, well, they've always been there, and I know a lot that that is true. But what's what's what's changed is not is not just the CMMC certification. Right? It's the focus on this particular topic. The the concern over theft of data, right, that that that was the, you know, kind of the genesis for CMMC to come to place in in the first place. Right? Like, more more accountability for the contractors in terms of of handling. The stakes are higher, I think, is really the is, you know, is is is really the main point. So Perfect. And I do wanna move on, but for anybody who's listening, there is a comment section. If you have anything you want us to touch on, please feel free to put in the comments. So, Doug, I wanna go through some of the common gaps that you're seeing in companies preparation and building of this environment. So I'll throw out a few inflated SPR the SPR scores. SSPs don't match reality. POAMs never close. There's a bunch of different things out there. What are you seeing a lot of? So well, openly, we you know, we're as you know, Shellman is assessment only, and and we prefer to, you know, to work with companies that have worked with with with advisory firms like yourselves to be able to to prepare. That makes that makes our lives a lot easier. But when but but in essence, there are there always are companies that are that are rushing into this. They've got a contract vehicle that they wanna get through by the November deadline, etcetera, etcetera. I think that the the SSPs don't match reality, but I think that stems from the bigger problem is that the the the scoping is not is not fully understood. Now in certain cases, you know, and this is a kudos to some of the MSP and other offerings that are out there. We are seeing a lot more enclaves being stood up, people recognizing that I wanna make this CUI footprint as as as small as as possible, but they still gotta document it. And, I think documenting it is, you know, is the act but you have to know what to document it. Right? That's the issue with with with with with SSPs. It's not that they're failing a documentation exercise. It's that they're not necessarily accounting for everything that goes into it. Okay. Great. You went out and, you went out and deployed Microsoft GCC High, and you've got your share point you've got your separate email, SharePoint, etcetera, for all of the things that you interact with your primes, with the DOD, etcetera. Right? You've you've you've got that. Oh, but what do you actually do for a living? Oh, we we manufacture, you know, we manufacture, parts or, you know, build out, you know, build out parts and manufacturing and welding. Well, how do you do that? Oh, we take the CAD, you know, images from, you know, from, you know, from the design, and we put them into this machine, and the machine creates it. Why the CAD images see UI? I don't know. But you should know. Right? And if they are, how are you know, oh, well, will the cat images come, you know, come from the, you know, come from come from the prime, come from the designer? And we're just manufacturing the the part. Okay. Does it say CUI? Yeah. I guess it does say CUI. Okay. How do you get it into the OT? How do you get into the operation? How do you get it into that manufacturing technology? Right? And you've gotta kind of walk through, you know, walk through things like that. Now there are companies that that that are, you know, that are simpler. They're they may be architecture design firms, those types of law firms, professional services. Then you can then your primary, you know, your primary, you know, sources of data are in fact just your email and your collaboration tools. But those are those are the things that, again, like I said, that that it's it's not that that, you know, SSPs definitely have a wide range of quality, but the bigger issue is whether or not they have actually fully accounted for for all of their scope or if they're using external service providers. That's probably number two. Number two would be external service where they're they're using an external service provider that that is is or isn't FedRAMP. Maybe it is FedRAMP, but you didn't configure it the way that FedRAMP that the customer responsibility matrix told you to configure in FedRAMP. Right? And so that's that's another that's another thing that we're, you know, that we're seeing. And and and to a certain degree, it does it does elongate the assessment process a little bit. But I like the fact that CMMC has this phase one and phase two and phase three, you know, approach. Right? You have you have to go through a phase one where you can gate these things, and you can say, hey. The documentation reflects the scope, all of which works pretty well. You know, it looks looks good enough to audit, right, so to speak, as opposed to just what what what people kind of expect or think from, like, a SOC two perspective. We're just gonna jump in and start start testing. So oh, No. That's what that's what we're seeing. Curious curious what you're because you're coming you're coming in earlier than we are in many cases. Right? So We'll see. Scoping's a huge issue on there. And so a lot of people will come in, and they'll be in Google Cloud, Azure, AWS, and they'll say that they have it handled. I have this in a cloud environment that's certified, and that's not the way it works, really. That helps that you're using stuff, but you have you just mentioned GCC High and Microsoft. You can have a GovRamp, which is in a AWS, but AWS without GovRamp still has a certain rating, same with GCP. So people come in with expectations on their scoping, what is in scope, what's not in scope, and then how it's tied together at and then CUI scoping is amazing how people don't know what their CUI is, what you're protecting because the government defines what CUI is. You don't define what CUI is. That's right. And when you get the data, you want to if it's labeled CUI, it's CUI. Right? That's right. You don't have make a decision on that point. Yeah. You can't you can't argue with the d the DOW says that our reports are CUI. So as a result, all c three PAOs have to have their own we go we go through our own, DIPKAC assessment, basically, CMMC assessment. We have to have our own, environment, and it gets tested and audited as, as well. Because, again, we're not handling designs or anything like that. We're not touching any of that data, but our reports or CUI to your point because the DOD, DOW said they were. Right? Yes. And if they say it is, you you don't really have the avenue to go back. But, we only have a few minutes left, Doug. So I wanna leave people with key takeaways on this. I go, jump into one. First thing is I strongly recommend because I do this all the time, independent gap assessment initially. Don't score yourself because that's where people get in a lot of trouble. I guess trouble would be a bad word, but they end up thinking or doing group think where they end up thinking something's going through, and they don't have somebody independent looking at it where they suddenly realize, hey. That with the way we're saying it's not gonna meet this requirement. Sure. And then, second with that would be a self disclosure. It's always better to self disclose when you find something versus having a whistleblower go through because that will go easily triple damages where they can do single, maybe double damages when self disclose, and they can waive a lot of it. That's right. Doug, any thoughts? My you know, that you you've you've hit it multiple times, but, I mean, this is this is not a point in time assess you know, this is not a point in time thing. It shouldn't be treated as a point in time thing to to to get a contract. You really have to commit to operating a program. And so, we with our with the clients that we've done certification work for, many of them are having us come back and and do even though it's not required to to do a health check, right, next year because it gives them additional comfort when they're going to sign on that annual, you know, on that annual affirmation. It gives them additional comfort to know that the controls, you know and someone else look to see that the controls, are operating effectively. So you whether it's the independent c three p a o or or an advisory firm like Arcon, like like, get somebody to look at this on an annual basis, right, and make sure that you're not just, you know, hey. This is great. We're certified. We'll see you in three years because a lot can happen in three years. Right? A lot of things a lot of things change and scope could change and and and so forth as well. If you're the one signing that affirmation, you're the name that they're looking at. That's right. That's right. We have less than one minute left, Doug. Real quick, how early should I reach out to a c three p a o to do an assessment right now? I know everybody's striving to get level two. So Yep. What is what are you guys seeing as far as lead Yeah. I mean, as early as possible is always the thing. We enjoy being, you know we we enjoy being engaged and prefer being engaged even if they're working with with an advisory firm, you know, like yourselves. Right? Like, we'll we can we can ride alongside that during the the the the preparation and and be there and be teed up and ready and ready to go. It's the it's like, well, I'm gonna wait until after, you know, and and until after August or whenever when my readiness is set, when my consulting engagement is done, you know, type thing. Well, then you're then you're battling for a very, very busy, you know, September, October, right, leading up to leading up to November. And so yeah. I mean, it's the the sooner sooner rather than later to engage. And I also think that even if you're working through remediation with an adviser, it's it's very it's a very powerful statement to be able to say, even if they're working like, let let's let's say a subcontractor's working with a consulting firm like Arkon to do remediation work. It's very powerful to say we're working with an invite with a firm for remediation. We have already engaged the c three PAO to do the formal assessment once that is done. That's a very powerful message that you can send to your prime to be able to say, I've got this under control. Right? This is the this is my path to CMMC certification. Because then if if if if it does go past November for whatever reason. Right? And you remember, November is where these start showing up in contracts. It's not like anyone's gonna get fined for not being done in November, but but you at least got a plan. Right? You've shown you've shown some, you know, a methodical path to getting, you know, to getting there. So Perfect. Well, thank you for that answer. And, Doug, thanks for talking about this. So alright. Thanks everybody for attending. Thank you.