Cloudflare Outage, AI-Powered Attacks & The Rise of GRC Engineering | Distilled Security Podcast
Welcome to Distilled Security Podcast. My name is Justin Leapline, and I'm here with Rick Yocum and Joe Nguyen, and this is episode number 19. We're gonna start off here, I think, talking about that the last time we were here in episode 18 was there was a whole bunch of breaches, and we actually covered a number of breaches. Yeah. And then there was more breaches or not breaches, outages.
Justin Leapline:Outages. Outages. Sorry. Sorry. So this week, a couple of days ago, we had a nice big Cloudflare outage.
Justin Leapline:Were you guys affected by this at all? I got actually a funny story
Rick Yocum:My about Spotify listening was affected.
Joe Wynn:Oh, okay. Gotcha. I had some customers had a little bit of effect to it. I haven't heard of anybody having tons.
Justin Leapline:So our we had a number of transactions fail personally and everything. Yeah. So our bank that we use must have and it was actually odd to me because I was like, they have Cloudflare in front of the processing of transactions into this. So we had a number of you know how Amazon is a little bit delayed when they actually process your transaction? We had a number of failures come across, and then Jen went to a coffee shop and tried to get coffee and, like, a croissant or something like that, and it wouldn't go through.
Rick Yocum:Oh, their point of sale system was
Justin Leapline:Well, it was our bank that was down. Theirs was still working. Got it. And I thought that was an interesting aspect to that. Like, once Cloudflare was back up, it was like, yep.
Justin Leapline:Everything's good to go with that. But yeah. So Cloudflare is basically everywhere, even the places you would not expect it.
Joe Wynn:Right. Well, they say it's covering 20% of all websites and operates data centers in 330 cities across 13,000 networks.
Rick Yocum:I think it's like ChatGPT's underpinned by it.
Justin Leapline:ChatGPT. Wasn't there some Microsoft services? Yes. There was a ton of stuff, you know, into that. And I've actually personally recommended Cloudflare a ton of times in and out around PCI
Rick Yocum:Oh, yeah?
Justin Leapline:For one of their new content security policy requirements, they have basically a page shield that you just launch it up and you're good to go, you know, with it with some configuration, obviously. But it's way easier than configuring content security policy specifically for your web servers and trying to roll it out and administer it and all that stuff. So, yeah, that that's one of the solutions I've recommended Yeah. A ton. And they have a number of other different good use cases.
Justin Leapline:Yeah.
Joe Wynn:So another instance of we're gonna record an episode and there's a major cloud.
Justin Leapline:We need content. Well, obviously. Correlation? Yeah. Yeah.
Justin Leapline:So we'll just down another service and talk about it next month. Yeah.
Joe Wynn:But what we can do is we'll just publish when we're gonna record, and that week everybody can be on high alert.
Justin Leapline:Yeah. Right.
Rick Yocum:Yeah. Or take
Justin Leapline:a vacation. Exercise their BCP, you know. Yeah.
Rick Yocum:Right. Yeah.
Joe Wynn:So what was the so what were you guys finding? It was a latent bug due to a
Justin Leapline:file that got really DNS?
Joe Wynn:No. It was it was not DNS.
Justin Leapline:Even though everybody guessed that to start with. Yeah. So apparently, they had some type of source file that they loaded in for threats and everything. I don't know if it was like a kind of a blacklist or something like that that, you know, all the bad sites and everything. It apparently grew to a point where when the application loaded it in, it caused a fault.
Justin Leapline:So whatever memory that it had allocated to load that in, it wasn't enough, and it caused a fault into the application. It crashed, you know, into that.
Joe Wynn:So it was a bug and it wasn't a cyber attack. In fact, I find it very interesting that every time one of these outages happen, the first line is it was a bug and the second line is this was not a cyber attack.
Rick Yocum:Right.
Justin Leapline:Which is good. Mhmm. Yeah. And, obviously, it was a I mean, most bugs are always, you know, things that nobody has ever considered before, but this was something that they could've wrote tests in, but nobody thought they would grew to a point or knew the limits of the software to, you know, put limits onto that. So I thought that was interesting.
Justin Leapline:Yeah.
Rick Yocum:One It'd be interesting if it if it was indeed, like, an index of threats or something like that. Oh, I never thought there could be so many threats on the Internet. I never expected the file to get
Joe Wynn:so bad. I never I wonder if we look at the file if the threat of it growing too big is in the file.
Justin Leapline:Right. So
Joe Wynn:yeah. Well, whenever this happens, first, you know, thing that comes to mind is third party impacts, supply chain impacts. This was another part of your supply chain. I was reading a couple different takeaways from different folks recommendations. And one is, you know, you gotta really once again, I think we're saying the same sentence every time here.
Joe Wynn:Yeah. Look at your how much reliance you have on these critical Internet infrastructure providers. Make sure you have a fallback plan, mitigation plan. Some of the IAN's faculty members that a few of us are on with or talking about it being a good opportunity to take a look at your you know, to brainstorm the concede that you can have. And if you take down Cloudflare because you want to not have that interrupt your services, well, what control is Cloudflare providing for you?
Joe Wynn:Yeah. And are you potentially now vulnerable to something else?
Justin Leapline:And how do guys wanna make that? Posted that up and it I mean, it's very valid because they offer, like, WAF, bot protection, everything like that. So if you go into it and turn it off, like, what are you opening it?
Joe Wynn:Right. Yeah. We'll give I'll give credit to Aaron Turner from
Rick Yocum:Okay. Yeah.
Joe Wynn:Faculty who some of that quote came from.
Rick Yocum:I think one of the things that concerns me a little bit is the concept of fourth or fifth or whatever x party risk management. Because if you consume a service that's underpinned by Cloudflare, like some of the Microsoft services as a for instance. Right? They could be totally critical, and you might say, oh, okay. Well, these are super critical, but surely Microsoft's doing all the right things.
Rick Yocum:We've done all the third party risk assessments to make sure that they're good or whatever, and you don't even necessarily anticipate that you're gonna have an outage in those services. Right?
Justin Leapline:Now how often do you like, when you're pulling on a new, let's say, a SaaS, do you pull that they're using Cloudflare? No. Yeah.
Rick Yocum:I mean, I think it would be very atypical. It'd have to be an I think it's critical.
Joe Wynn:Depends on the criticality. If a large business and you're going to shift your entire, like, main whatever it is, whether if you're a development shop and building a product and you're gonna move it all into a particular framework or some sort of Could be
Rick Yocum:anything data center, system, service.
Joe Wynn:Yeah. So then you'd probably wanna say, show me the diagram. Show me how this works and how it's all put together, and what are you doing about potential areas. So I like the diagram. I like the data center.
Joe Wynn:Show me how this all comes together. Now show me what, third parties you're relying on. And if you're the billion dollar plus company that's picking a new multimillion dollar solution and it's going to drive your revenue, it probably does make sense to get a bunch of architects together and start looking at this and see how work with their architects. At that at that buying point, your your vendor is going to bring their architects to the table if you ask them to. Yeah.
Justin Leapline:Yeah. Yeah. I I was just working with a health care organization, and it it was very light integration, but the health care organization, it was like a donor platform, and they asked for an architectural diagram. Mainly to the point of what are the points of integration between the app and, obviously, the health care organization. So are we sending out batch files or you know, for our donors?
Justin Leapline:Are we sending it, you know you know, live feed, whatever it is, you know, with that. But it's not common. No. You know? Like, if you're digesting and you're asking, like, do you support SSO and, like, figuring out identity management, like, you're and then send my questionnaire and say, I I assume you got all this stuff.
Justin Leapline:And how many nines are you guaranteeing?
Rick Yocum:That's what I gonna say. And pragmatically, like, there's two things that like, I I think it's all it's all good stuff to do. What I grapple with a bit is, is it actually gonna change your decision? Mhmm. So if you're gonna underpin the entirety of your business in some super critical way to this service, it's probably high volume for you or high importance for you in some way.
Rick Yocum:And there's probably, like, gonna be practically commercial terms that drive things more than than maybe, oh, you only have one service provider underpinning your service that you're guaranteeing to us and that we're, you know, risk transferring through insurance and so on and so on and so on. I just I I think it's good to know and understand, but I don't know how often it'll impact a decision. And it like, in the example of, like, if you're working with a Microsoft, well well, then what are you gonna do? You're gonna push them around? And and and and Microsoft is gonna be like, hey, well, yeah, we have do you guys certainly, you know, we have all these assurances with Cloudflare and this like, they're not gonna give you, oh, yeah, we're single threaded through this one thing.
Rick Yocum:Yeah. Deal with it. Like, they're gonna give you good answers.
Joe Wynn:Yeah. And you're probably not gonna have that. So I don't think Microsoft won't be the vendor that you're having that conversation.
Rick Yocum:Right. That level of transparency.
Joe Wynn:But it's the company who's building their stuff on Azure and is gonna rely on a few other things. Sure. What are those other things?
Rick Yocum:Yeah. Yeah. Yeah. I think that's right.
Joe Wynn:Yep. Do all their servers have CrowdStrike on them? And what what was that? A year ago? Yeah.
Joe Wynn:And then did they all go down?
Justin Leapline:Right. Well and this goes back I mean, this was a few episodes ago, but back to, like, third party risk management when we were talking about that, I I'm still of the opinion, like, going down all these rabbit holes means nothing. You know? Like, you're spending more time figuring out a good resilience plan. If this vendor goes down, what do we do?
Justin Leapline:I think not Not trying to do you use Cloudflare? Do do this? Do that? Because they'll all go down. It will all go down.
Justin Leapline:You know? And you just have to deal with it.
Rick Yocum:Yeah. Know what you're gonna do and by when you're going to do it. Yeah. Right? Three hours in, we have to make a change or whatever.
Justin Leapline:Yeah. So good. Alright. Another thing I wanted to talk about, that that was just a real short little thing and coincidence I thought was kinda funny. One thing that came out, what was this, last week here, Anthropic Mhmm.
Justin Leapline:Was kinda a party to not involved with, but a China nation state hacking using AI, which we all knew was coming. You know? This was not a shock that it was actually happening. In fact, they wrote up a nice big report about all the aspects of this. They even said in their report, it was like, yeah, we we all theorized, like, you know, nobody's notes for Adamas.
Justin Leapline:Like, we we knew this was coming, but the speed of which and the integration of, you know, doing this was pretty incredible Yeah. Into this. Did you guys read that report? Oh, yeah. Yeah.
Rick Yocum:Yeah. I loved it. And then first and foremost, I'd, like, super applaud the transparency of it. Yeah.
Justin Leapline:Alright. Yeah. I think more and more a little bit off topic. More and more if you're doing a breach right, you know, I mean, technically, this one really a breach. It was a misuse of services, you know, into that.
Justin Leapline:But being transparent into that, I think, is gonna give you more graces at least in the security community where we're all looking at and saying, what was the cause? What was the, you know, the the weaknesses? Tell us, you know, the issue with that, I think, is better formula, you know, for re regaining trust, you know, into the consumer. Like, I I still and maybe it happened, like, Change Healthcare Alright. Last year.
Justin Leapline:I still don't know what root cause is with that. You know? Like Right. Have they shared that? Maybe I haven't paid attention
Joe Wynn:to the post. Transparent about like this.
Justin Leapline:Yeah. They they weren't transparent out of the gate. I know that. You know, it was more about restoration of the services, and I get that. But it would've been nice to know the attacker and how they, you know, got in and exfiltrated and all that stuff.
Rick Yocum:Like like, what, you know, what happened?
Justin Leapline:Yeah. Yeah.
Joe Wynn:Yeah. And so in case some of our listeners aren't fully aware, you know, what was uncovered was they were using Claude through m MCP tools to run reconnaissance, right, exploits, harvest credentials, x fill data, and the AI handled 90% of the work with Yep. Limited human interaction. And I think the anthropic detected it mid September twenty twenty five, and we're able to, you know, start killing, blocking accounts, killing agents, things like that. But the life cycle is human operators selected targets and then build it into the attack framework, and they tricked or somewhat jailbroke the AI model to execute the task by framing the request, you know, innocuously and hiding the malicious intent.
Joe Wynn:Yeah. Because otherwise, it, you know, would probably call that right out. Things like we're doing a actual pen test for our own company and we need to make this thing work And, oh, okay. Yeah. We'll run that.
Joe Wynn:We'll run that this time.
Rick Yocum:And well, another technique they used was the the granularity of the requests themselves. Right? So instead of, hey. You know, run, you know, this suite of attacks all at once, which is gonna be flagged as bad. It'd be like, hey, do this specific thing.
Rick Yocum:And then a different agent do this specific thing. And then a different agent do this specific thing, and an orchestration agent to chain it all together. And so each little thing doesn't look particularly suspicious, but chained together, it's it's an attack path. Yep.
Justin Leapline:Yeah. Yeah. In fact, it was really interesting. If you look at the report, we'll have the report in the show notes here. They basically had there was five main phases, discovery, vulnerability analysis, exploit development, exploit delivery, and poise exploitation.
Justin Leapline:The only place that a human was involved is right at the beginning. They gave targets, you know, into that. And right in the middle, after exploit development, they reviewed it and approved the exploitation. Yeah. So everything else from scanning the environment, enumerating the services, identifying vulnerabilities, resort researching exploitation, authors custom payload payloads Lloyds, develop a customer exploit chain.
Justin Leapline:All this was done with AI agents. You know? And and I
Rick Yocum:think it was developing it was actively developing custom code Yes. During the attack threads.
Justin Leapline:Yeah. And in fact, they even had, like, custom reach out into other services. So when it was doing a scan, it had a an MCP endpoint where they actually said, like Yeah. Do this stuff, you know, run this stuff, and give me back the results. You know?
Justin Leapline:It it was actually pretty impressive. Impressively engineered.
Rick Yocum:Like, I
Justin Leapline:looked at that. I'm like, I need to hire them to automate some of
Rick Yocum:this stuff. Whole framework. Right. I know.
Joe Wynn:You know, one thing I found funny reading that article and by the way, when you do check out the article, there's really cool diagram that kinda shows how it all all came together. But one of the funny things was Claude didn't work perfectly. Occasionally, it hallucinated credentials and claimed to have extracted secret information that was in fact just publicly available. Yeah. And so, you know, even the bad guys will have problems with hallucinations when they're
Justin Leapline:trying to
Joe Wynn:use these tools.
Rick Yocum:Yeah. I I can't stop being entertained by that specific fact. Yeah. Like, the the hallucinations of the credentials. And and I can just see because I because I I think the bad guys then tried to exploit it, and and it took them a while to troubleshoot what was going on.
Rick Yocum:Right.
Justin Leapline:So Shouldn't have taken that long if they're getting an error back.
Rick Yocum:Well, but I suppose we don't know Yeah. A lot about how this was perpetrated, but I could imagine perpetrators that were so invested into building that framework out and levering that framework against multiple clients. You'd want to fix that bug midstream potentially because if you have dozens of downstream clients, like, you'd wanna know what was going on. Why is it reporting success when there's failures? I think the people that built this were clearly engineers.
Rick Yocum:I imagine they'd attack the engineering problem.
Justin Leapline:Yeah. Yeah. Yeah. I mean, this is a common problem with AI with, you know, the actual data and then, you know, hallucinating that data or, you know, manipulating that because they probably got back credentials and but then when they're going to use it thought that, you know, they pulled it somewhere else or, you know, thought something else was right.
Rick Yocum:I mean, they Oh, were we caught?
Justin Leapline:Yeah. Did they did
Rick Yocum:did the victim start changing credentials already?
Justin Leapline:Yeah. Because that's a pretty static thing. If they have credentials, that shouldn't modify, you know, into that. So, yeah, that's and that's an AI thing. Because who was that?
Justin Leapline:I was talking to you the other day on, like, I'm never gonna ask AI to, like, manipulate data for me. I'm gonna ask AI to create a Python script to manipulate data for me. Yeah. You know? Because don't trust AI to actually do the manipulation right, but I can trust it to write a script for me to do some type of manipulation, and I know that will be right, you know, with some testing, obviously.
Rick Yocum:I love that example so much because I I've said a billion times in the past month or two, like, AI is an intern. Mhmm. But you're responsible for how you task the intern. And if you task the intern with manually changing thousands upon thousands of records in a certain way, there's probably gonna be some error. If you task the intern with writing a script to change those records in a way that you want and expect, it's probably gonna be right.
Rick Yocum:Yeah.
Joe Wynn:Yeah. Well, I like how this whole thing is we're shifting a little bit to Yeah. Using it for bad for maybe using it for good. And so, you know, why can these systems be manipulated to do this? Should we not stop it?
Joe Wynn:Or can we figure out how we can actually use these systems to be on the cyber defense side and do very similar things?
Rick Yocum:Yeah. I mean, I'm pretty confident the AI stuff is gonna benefit offense and defense, I guess, in different ways, but ultimately evenly. Right? So offense can do a whole bunch of different innovative things, masquerade as people, chain attacks together in novel ways. On a defensive side, well, if you can do a better, smarter, quicker, more context aware methods of patching or alerting, there's Pulling out anomalies.
Rick Yocum:Yeah. Exactly that. I mean, you can you can lever that for good. I think the fear that I have in that space is the enterprise organizations that can leverage AI for defense, they're probably mid to big. The small organizations, what are they gonna do?
Rick Yocum:I mean, maybe they have some tools, maybe the tools that they already purchased start to get AI embedded in ways that automatically acts on their behalf. But I actually think there's this the asymmetry isn't in the ways that attacker defense can use AI. It's in the people that will have access to the AI. Because the attackers will just attack everyone with it. Right?
Rick Yocum:That's shotgun approach. Let's try every car in the lot to see whose doors are open. Some of those organizations are gonna be small organizations that can't afford the AI defenses that are now
Justin Leapline:Maybe. Or it could be highly targeted or targeted into an industry or something like that.
Rick Yocum:But it's gonna be both. Right? There's gonna be attacks that are highly targeted, and there's gonna be attacks that aren't. And I think the AI attacks that are not highly targeted are going to disproportion disproportionately impact the smaller organizations that can't afford AI defenses.
Joe Wynn:Yeah. And what I'm hoping happens with these, you know, companies out there that are building tools is they're building tools, learning from these things like these like the anthropic incident and creating tools that will be able to at scale much faster than people can, than existing tools can, start to detect, you know, the things that
Justin Leapline:were happening.
Joe Wynn:So what were happening in the in the list, they were doing reconnaissance and surface mapping. Mhmm. And if that's done by is there a way you can pick up on that being done in a way that a human or computer tools won't do and watch for that? And that that anomaly of an AI MCP Mhmm. Doing that work, can another one be built to watch for that happening on your, you know, your perimeter?
Joe Wynn:And so build into your firewall, build into your SASE,
Rick Yocum:that kind
Joe Wynn:of stuff.
Rick Yocum:I I think I think it can be that the challenge is it's gonna be the integration points. Right? The weaknesses. And then you go, okay. So what does a small company do for that?
Rick Yocum:You go, okay. Well, you can platformize, and then you have less integration points, and that's fine. Or you end up in a world where you just have to add a tool to the tool stack for small companies, and then that's a cost that's difficult to bear.
Justin Leapline:Yeah. But I don't think you know, like, the way they're doing it, they're calling other tools to perform those tasks. So in that example where they're doing discovery, they're calling Nmap or whatever it is, you know, to actually do the profiling. So it looked like Nmap scanning you, you know, or any other scanning tool for that matter.
Rick Yocum:Well, that's a good point. The fundamentals remain the same. It's just happening at speed, and it can start to happen at scale that might not have been
Justin Leapline:as easy before. Decisions, you know, into that. All the individual tools are, you know, like, you look at that. That's the p test methodology, you know, and all that stuff. Like, that's what they were doing was nothing new, you know, from a a human pen tester.
Rick Yocum:You know?
Joe Wynn:But what might be unique there is that they went from doing an Map scan to leveraging the results of that on the same device to doing something else in a way that, like, our normal pen testers are not going from this step to this step to this step so rapidly.
Justin Leapline:So rapidly. Exactly.
Joe Wynn:And that might be the anomaly.
Rick Yocum:Or or going from victim to victim to victim so rapidly. Right? Because they both exist.
Joe Wynn:Right. Now how do you how do you pick up that? And probably if that's had the same MSSP, who's able to see this happening at multiple places at once. Yeah.
Justin Leapline:But the Internet is constantly being scanned all the time. So Yeah. I mean, it's just gonna be picking up, you know, those vulnerabilities still. So, you know
Rick Yocum:Oh, yeah.
Justin Leapline:Your vulnerability management discovery because they were doing, like, common vulnerabilities like Oh, yeah. I forget what it was and everything. But they were just normal vulnerabilities. Oh, SSRF vulnerabilities.
Rick Yocum:Yeah. I just think we we might have lived in a world where small organizations, it was easier for them to get away with flaws. Not that they should. Right? But if they were a small fish, right, it's it's it's to me, it's the equivalent of you used to live in an okay neighborhood, and maybe you should always locked your doors, but sometimes you didn't.
Rick Yocum:And that was usually okay for you. And now the neighborhood's getting way worse and you might still forget to lock your doors and you're probably gonna have a worse time of it.
Joe Wynn:Yeah. Right. Thinking you're not a target, that was the biggest excuse forever.
Rick Yocum:Right.
Joe Wynn:Like, nobody's gonna do this to me.
Rick Yocum:Well, now Now it's easy.
Joe Wynn:Yeah. And maybe Easier. Maybe nobody is. Maybe because it's not even a person Yeah. Doing it.
Rick Yocum:Yeah. Yeah. Super interesting, though. I love the report. And, again, the transparency of it was awesome.
Rick Yocum:Yeah. And the chaining of events was pretty impressive. I I I It was well engine it was well engineered.
Justin Leapline:If you're a pentesting organization, you should go in and adopt this for your actual services. Yeah. Right. Right.
Joe Wynn:Well, that's what I was thinking when I was reading this. Yeah.
Justin Leapline:Yeah. It was like, oh, we could automate this.
Rick Yocum:You know? Automated red teaming is a thing.
Justin Leapline:It's just Yeah. But do it ethically and get paid for it. You know? Yeah. Then you do the thousand dollar pen test report, you know, after yeah.
Justin Leapline:Well, I would use a to
Rick Yocum:automate my reports.
Justin Leapline:Oh, yeah. But I'm talking about all those vendors out there that's like thousand dollars a pen test. You know? Oh, right. Yeah.
Justin Leapline:Yeah. It's like Right. Now you could technically do that because AI is doing everything. Right. Right.
Justin Leapline:Have it do the whole thing. But yeah. So yeah. So what's I mean, is there anything to do out of this? I don't think so.
Rick Yocum:I mean, I think if you're an enterprise and you're not actively looking at utilizing AI to bolster the speed at which you can defend against things
Justin Leapline:Mhmm.
Rick Yocum:Or at a minimum to detect because, you know, there might just be operational realities with the patch cycles that you have that you can't even if you know about things faster, you can't patch any faster. But anomaly detection and response to that, if you have the capabilities to go after that, you should start going after that.
Justin Leapline:That's a good thing. One thing that we didn't really talk about, and I think one reason why they went to Anthropic is do you really think the skill set is there to kinda roll their own process, their LLM and integrations into that? While you can do that, it's more difficult. You know? That's a great.
Justin Leapline:So is the skill set there for you know? I mean, I'm I obviously, you know, nation states, they can get it. You know? If they don't have it,
Rick Yocum:they can pay for it. You know? But it's interesting they did this was a nation state, and they didn't.
Justin Leapline:They didn't. Yeah. They're using a third party
Joe Wynn:Yeah.
Justin Leapline:To do that. So maybe that's not there yet, which is actually beneficial because you have third parties that can close it down quickly, you know, into there. If they had their own infrastructure, that would be a lot harder to actually close the door on, you know, into that.
Rick Yocum:Yeah. You start white listing parts of the Internet. I mean, what do you do?
Justin Leapline:Yeah. That that yeah. Get signatures out there, you know, do kill do some kill chain, you know, type stuff. You know? I mean, like any other attack and exploit.
Justin Leapline:Yeah. So yeah. But that is interesting that they're going over a third party. I thought that was a unique thing.
Rick Yocum:I hadn't thought about it like that, but that is a really interesting point. Yeah.
Joe Wynn:What's on this? Well, I think this kinda leads right into another topic we had, which is a little bit about applications and AI via MCPs, modeled context protocol.
Rick Yocum:Mhmm. What is that, Justin?
Justin Leapline:So that's basically you look at it as kind of an API for AI. Yep. You know, as its simplest thing. It's basically a way to offer it's in the middle letter context, you know, into AI to pull on various different services and to actually execute tasks if you allow it from a permission base.
Rick Yocum:But typically against applications. Right?
Justin Leapline:So this is so Other AI applications. Can talk to
Rick Yocum:apps without scraping screens and stuff.
Justin Leapline:Exactly. So, you know, all the popular applications out there, Jira, you know you know, does AWS I'm sure they have some, you know, things. And there's a whole bunch of that have, like, context only. So there's a bunch of, like, frameworks or things of that nature that they just put out, like, read only, like an easy way to digest their docs for AI. Right.
Justin Leapline:So we use a bunch of that within, like, Versus Code because, you know, if, you know, it's if you look up In In a Yeah. You know, where you're pulling off, you know, your back end services and, like, here's how the back end API is actually designed. Now use this as a reference when you're designing calls and API calls, you know, from the client side. So it adds a lot more stuff, but it's not limited to that. You can actually, you know, put it to actually perform tasks.
Justin Leapline:So if you put various tasks like I I think I mentioned before, we use linear as our ticketing system for development. We have in there that you can actually have it from linear actually create, you know, issues. It will actually trigger various agents to actually try to fix code for you, you know, into that Copilot will actually if it's simple enough, you know, if it's very complex, it won't work, you know, into that. But it will create a pull request based on the ticket and actually give you an approval for it. So if it's something pretty simple, like, hey.
Justin Leapline:These should be you know, this button should be green or, you know, change these parameters around Syntax error. Yeah. Something like that. You can actually task it. It will evaluate the code.
Justin Leapline:It will propose, you know, like, commit a change, open up a pull request, and then attach the ticket to it, and then say, Justin, it's ready for your approve approval. And if I had approved, all that code gets merged. You know? That's cool. That.
Justin Leapline:So, yeah, it's pretty powerful. But, like, anything else with APIs, you know, it they could be up for bugs, you know, in that. In fact, we've already had a number of vulnerabilities related to MCPs, mainly around permissions, you know, into that. Whereas, you know, like, they they didn't permission it right. You get more data back than what you're supposed to be getting within your workspace and things of that nature.
Justin Leapline:We've actually explored a little bit about opening up an MCP for a PISCI, you know, into this. We're being a little bit careful about it, but, you know, so that you can actually query, you know, and hook in. You you can't put it in the workspace right now. You gotta be big enough. You know?
Justin Leapline:Sure. But to put a connector, but you can put kind of a dev connector into it, and then you can ask it, you know, straight from, like, a ChatGPT, you know, to do stuff for you. You know?
Rick Yocum:Right. So in theory, if if I had an enterprise instance of ChatGPT or or Copilot or whatever, like native within Teams, and that integration setup, I could call the command or slash a pisci or whatever it is to invoke the agent to go talk to
Justin Leapline:Yeah.
Rick Yocum:The model context protocol.
Justin Leapline:Issues back Yeah. And then evaluate maybe next steps if that's what your task or it could even you know, if we you know, once we get it in there Yeah. It could create task for you or issues or something along that line. So I think that'd be pretty helpful and then natively integrate with, you know, like, the NCP, the nice thing about it is it's an open protocol Mhmm. You know, into that set.
Justin Leapline:So Claude can use it. You know, OpenAI can use it. Anybody can really use it as a digestion and or execution point from AI. So now
Rick Yocum:I'm thinking, like, third party management. Hey. Hey. Update this vendor questionnaire that I've received based on the most recent instance of my control testing. Yep.
Rick Yocum:Yeah. That kind of stuff. Yeah. Fantastic.
Joe Wynn:Yeah. Because with the MCP, I mean, really, you're just turning your LMM into an operator and you're giving it access to be able to run all these various things, you know, read, write if that's the kind of permissions you give it. But, you know, what what are the the threats, I guess, you can have is the risk you can have is that if it's not engineered and controlled well Right. Then you can run into other issues like, you know, if it's compromised, it can start taking, you know, really impactful actions at machine speed. Yeah.
Joe Wynn:Yeah. And so, you know, kinda thinking I mean, maybe that was a little bit of the backbone of the anthropic attack. Right? And so MCPs running at machine speed.
Justin Leapline:Yeah. Yeah. So, I mean, I think the I mean, we're talking about securing them. We talked about them. Really, the security the primary point is identity, you know, identity and access.
Justin Leapline:You know? And like anything else, there's a lot of different ways. You could give out static keys, you know, tied to a permission. It could be a service account that has full blown permissions, you know, into that. You could do some type of session token, you know, where you're kinda doing a, you know, an OAuth going to, like, the portal, getting a validation, then hand it back to the, you know, the application of choice and then passing that.
Justin Leapline:That's probably the preferred way, you know, that you're basically given permissions on, you know, your user. It it depends on the use case at the end of the day. Because you could have scripts that you want with certain permissions and maybe not all the permissions you have. So if you're an admin in a SaaS, you and you just want tasks to be updated, you should have a granular, you know, permission base where only tasks can get updated in a certain workspace or project or whatever it is, you know, into that context there. And that's where it gets a little bit challenging.
Justin Leapline:Like, do you want a super admin to just follow their permission everywhere they go? Generally not, you know Right. Into that. It really depends on what they're trying to do.
Joe Wynn:That's a good point. I was reading a little bit about what kind of threats there might be, and I wanna see if you're experiencing this. What you're looking at is, you know, sometimes the apps, you get the challenge, hey, I wanna grant access your you know, for my company's m three sixty five. I might get an an approval alert, grant access, and next thing you know, it's requesting full rewrite access when it only needs, like, partial access to to things. And so, you know, once you're using an MCP and it's doing that, then, you know, a compromised system now has access to way more than it than it needed.
Joe Wynn:And how how do you start thinking about this from a a control perspective?
Justin Leapline:Yeah. So there's certain protocols out there like OAuth where I I'm sure you guys have seen it when you log in to other sites and they give third party access into it. Yep. You actually have control of what you're giving if they design it right, you know. Because there's a certain necessity.
Justin Leapline:Like, we need this data no matter what, you know, and then there's certain options.
Joe Wynn:Is that like login with Google
Justin Leapline:Yes.
Joe Wynn:Login with your Facebook?
Justin Leapline:Exactly.
Joe Wynn:I'm always looking at those pages going It's like,
Justin Leapline:do you wanna give all your photos access or a certain library of access or none? You know? And that's where you can kinda dictate, you know, like, how much connection you want into that. It's a little bit different from, you know, from an NCP per se, but essentially that concept there. You know, you're giving it on what you approve on that connector there, you know, the access that it's needed.
Justin Leapline:And you can check all the boxes, and that will give you the most, obviously, design flexibility of what, you know, it could be, but maybe that's not always the case you want, you know, into it. So, yeah, it that that's the number one thing, and that's what's normally broke. There are some was that, like, not cross site scripting, but, like, injection Sure. Type stuff depending, again, how it's designed on the back end and handling some of that stuff. Again, it it it's an API at the end of the day.
Rick Yocum:You know. And I think a lot of the things that go wrong with APIs, right, are gonna be the same. So the way that I think about good APIs is essentially, it should operate to the greatest extent possible as a user. Right? So if it's just always admin and no monitoring, well, that's kind of a problem.
Rick Yocum:And it's kinda easy mode, but in a more ideal state, you're monitoring what's going over like the the things being sent and received, you know, over that API in the context of sort typical user controls. Right? So if typically you wouldn't have a single user download every record from your CRM, well, you probably shouldn't let the API do that.
Joe Wynn:Right. Yeah. You can actually build, you know, continuous go think about continuous monitoring. What can you build? Can you monitor for what might be agentic behavior?
Rick Yocum:Exactly right.
Joe Wynn:Rapid sequential tool executions, unusual high combination of actions, you know, high volume file access. Yeah. So things like that. So can you build that monitoring in to the tool sets?
Rick Yocum:And it's tempting when you're getting it done quick and dirty in terms of building an API. Just be like, well well, we don't have time to build all the monitoring right now and and and treat everything, you know, in a session under the user context and alert on it appropriate.
Joe Wynn:But all the stuff and then there's best practices. Another best practice kinda like that is who always would build in, like, logging to the degree you want. Exactly. What's this thing using? What tool did it access?
Joe Wynn:What what did it see? What did it write? What did it return? Yeah. I mean, I don't I'm not sure if everybody's going to that level detail.
Justin Leapline:No. They're not. Because what commands you actually put into an MCP is largely on the developer side. Right. So your example on, like, pulling back a CRM, that could be good, like, as designed or not as designed.
Justin Leapline:So a a good example is this. If I'm writing an MCP as a connector into my CRM Mhmm. But I didn't put a search function into it. I have a list function Oh, totally with you. You know, type of thing.
Justin Leapline:And I say, give me all the people with the first name of John. You know? It's gonna have to pull down the full list, you know, to do that because I didn't give it a search, you know, context, you know, into that. So it's gonna pull the full list and then filter
Rick Yocum:on John. Well and, again, this is where, like, app capabilities come into play and all sorts of things like that too. So yeah. But I think, ultimately, any API, including model context protocol, should operate, like, kind of underneath or in a little in compliance with the standard controls Mhmm. And not outside of the standard controls.
Rick Yocum:Right? It shouldn't just be an unmonitored admin.
Joe Wynn:Right.
Justin Leapline:Yes. Absolutely. Yeah.
Joe Wynn:Yeah. And so what happens when your MCP goes rogue? Need to be able to quickly shut that thing down.
Rick Yocum:Kill switches.
Joe Wynn:Yeah. Kill switch.
Justin Leapline:Yeah. Well, again, MCP is only gonna do what the I AI is gonna tell it to do. You know? Mhmm. And if you give like, there's different options.
Justin Leapline:Versus code is what I know. Like, well, you can actually have and, Claude, you could do this with this with, like, a Gentec AI. You can actually say, don't worry about my approval. Just go, you know, type of thing, or only spend so much time doing this, you know, like, five minutes and then, you know, come back. You could basically say, like, just go, you know, depending on the app.
Justin Leapline:Right. And it would just go. You know? And that could mean removing what was the there was a story it was months ago, but somebody talked about, like, it gave it a task of trying to secure a a repo, you know, a repository of code, and it ended up deleting the repository because it was like No.
Rick Yocum:No one can
Justin Leapline:get to it now. This is so bad. Like, we just gotta start over. Yeah. That's funny.
Justin Leapline:And it actually gave it the permission to delete, and they it deleted the code base. You know, they were able to get back, but it was a funny story, you know, that AI concluded it was insecure, and the best way to proceed was to just delete the code. Right. Yeah. Get out of the
Rick Yocum:hack if it's not available.
Justin Leapline:Right. And that was through an MCP. You know? Like, you know, it wouldn't be able to do that without that access into that code base, you know, into there.
Rick Yocum:But, like, governance around all this stuff is critical. And I and I wonder if, to your point, like, a kill switch on an MCP is, in some ways, also as valid as a kill switch on an agent. Because you're right. It'll only do what the agent's saying. But, like, I start to think through weird future scenarios like, I mean, we remember ARP storms.
Rick Yocum:Right? Well, what if there's an agent storm? Or what if a bad guy wants to de what if you have a whole bunch of automation via agents and orchestrations in your network? A bad guy gets into the wrong place. He can call a command.
Rick Yocum:He says, hey, all agents listen to me right now and do x y z.
Joe Wynn:Right. You're thinking about, like, the futuristic scenario where you create these agents. They're out there running You
Rick Yocum:have the ecosystem. Doing the
Joe Wynn:things, and you actually don't even need to man them anymore. They're just kinda running Just automations. Yeah. You know what I'm thinking about, and we both played this video game, Cyberpunk. Yeah.
Joe Wynn:And on the other side of, you know, the firewall, what they call it, know, they had these agents that were running rogue, and there was no kill switch on.
Justin Leapline:Exactly right.
Joe Wynn:So, you know, that's a little bit further out that maybe I'm thinking
Rick Yocum:about now. Today risk, but but I think, you know, today's is when you need to start thinking about the governance around where you build in the controls
Justin Leapline:to something. I think we're looking at it from the wrong end. I think we should be looking at it from the server side, you know. So should we have users be able to delete all the code? You know?
Justin Leapline:And maybe put some, like, reasonable rules into that. Like Oh, yeah. They can delete a file. Okay. That's but can they delete five, ten, fifteen, twenty?
Justin Leapline:You know? And then you start putting into that, like, I don't care who you are. You can't just delete it and But
Joe Wynn:it's kinda like what Rick was saying earlier. Treat it like a human identity. Give it an a real identity with real least privilege. And
Rick Yocum:and and I fully agree with that. Yeah. That's not the net new control points, though. Right?
Justin Leapline:Like, can do that. I mean, killing the agents, the bad things already happen. You're killing that agent because it's already gone rogue and bad and all that stuff, you know, type of thing.
Joe Wynn:Is there a way to reach in and just give it a command that makes it just stop because
Justin Leapline:Right. I'm saying like like limit what the agents can do no matter what. Like, give it permission to say, yes, you can delete a task, you can add a task Mhmm. But you can't delete add a 100 in a minute, you know, or, you know, delete all of the base. You know?
Justin Leapline:That's fine. But then I'll just make
Rick Yocum:a 100 agents that can delete one at a time.
Justin Leapline:And and again Again, like,
Rick Yocum:there's there's other background issues that allow me to do that that need to be addressed, obviously. But I think these are some of the in in such an unknown world in terms of how these ecosystems are gonna evolve.
Justin Leapline:Yeah.
Rick Yocum:Like, I don't know. If it's not gonna take a gazillion more hours of dev time or or or thought, just consider Scary, how do turn these things off?
Justin Leapline:Brute forcing as a control, you know, and we limit it down to a reasonable time in an amount of Yes. You know, in the Absolutely. So, yeah, looking at that, it's like, alright. Yeah. The here's the threshold.
Justin Leapline:If it goes beyond it, there's gonna start to be blocks and alerts, you know, into that. Without it out.
Joe Wynn:Yeah. It's not a whole lot different than, you know, putting a a junior engineer with super user in production and telling it to do stuff
Rick Yocum:AI as an intern. AI as an intern.
Justin Leapline:Yep. I like it. K.
Rick Yocum:Alright. That's cool.
Justin Leapline:Anything else along that lines? We haven't brought up the the book yet.
Rick Yocum:Oh, we haven't?
Joe Wynn:No. What book you got there?
Justin Leapline:Yeah. Are we doing GRC engineering?
Joe Wynn:We could talk about that. Sure. Yeah. Might now might be a good time because, you know, you're kinda, you know, relating all these things. We're talking about building, you know, the software, building these apps, using AI to do it.
Joe Wynn:But before we
Justin Leapline:do that, Why don't we this is about half, I think. Well, mine's less than half. Oh, I meant halfway through the episode. Yeah. Perfect.
Justin Leapline:So why don't we review what we have today? Yeah.
Rick Yocum:What what do we have today?
Justin Leapline:So this is a new creation from Knob Creek. Mhmm. It's their thank you, sir. It's their twenty one year aged into this. They've never done anything this old.
Justin Leapline:In fact, most people have never done anything this old.
Rick Yocum:It's so old my drink can drink.
Justin Leapline:Yeah. Right?
Joe Wynn:As I said, my kids can't even they're not even as old as this.
Justin Leapline:Yeah. So 100 proof. It is a very caramelly, like, very thick over the tongue into this, and you get a lot of char, you know, like, we all tasted that kind of the barrel charred, you know, into that. Very easy to sip though.
Rick Yocum:Super rich.
Justin Leapline:Into this. And if you're interested, this is their first run of it, and they said limited release or limited edition. So they might be doing something in the future, but this is not gonna be a staple on the shelves Yeah. With that. You guys like this?
Rick Yocum:It's I do like it. I think you probably need to like a heavy char to like it. Yeah. If that's not your thing.
Joe Wynn:What I find about it is and I I don't mind the, you know, the heavy char, but I also with it being, you know, 100 proof
Justin Leapline:Yeah.
Joe Wynn:It's not running hot like I would expect. So it's a little bit more smooth. You usually, I'd like wanna throw
Justin Leapline:I know something get it. Everything.
Joe Wynn:Open it up, but it's it's doesn't need that.
Justin Leapline:Yeah. I agree. Twenty years in a barrel. One of the things that maybe the eyes doesn't know. So there's evaporation always that happens within the barrel, and it's significant.
Justin Leapline:It's people will probably correct me on it. It's like three to five percent every single year, and it adds up into that.
Joe Wynn:So What do they call that? The angels
Justin Leapline:That's the angel share that goes up into that, and they call the devil share, the ones that, like, go into the barrel.
Rick Yocum:Devil cut. Yeah.
Justin Leapline:Yeah. And it was at what? Jim Bean has tried to, like, extract it out of the wood and made a drink. It's not that good into that. But that's where the influence of angels envy kinda came about, you know, was the angel share and all that Yeah.
Justin Leapline:Stuff. But yeah. So there's an evaporation out of the barrel because they're not a 100% tight, you know, into that. And when so as a comparison, I heard this from Buffalo Trace. They're typically 50 gallon barrels.
Justin Leapline:If after twenty years, you're left with about eight gallons.
Rick Yocum:Yeah. The Internet told me very quickly that it's three to 5% in the first year, and then it and then as the barrel saturates and a little less oxygen goes through, it's one to 5%.
Justin Leapline:One to 5%.
Rick Yocum:But if it's like a volatile environment like the tropics, it can get, like, almost double digits, but it's usually between one to five in subsequent years.
Justin Leapline:Yeah. And I also think it depends on where it's stored, also where it's at within the Rick house Mhmm. And everything. So if it's up in the rafters where the sun and all the heat kinda rises, you're gonna get more volatility Yep. Especially in the summer into that.
Justin Leapline:So, yeah, it turns into A
Rick Yocum:couple percent a year for twenty one years, that's
Justin Leapline:Right.
Rick Yocum:Compound interest
Justin Leapline:adds up. Yeah. Exactly. If you know your math, know, 1% isn't just one percent every year. It's 1% on the remaining volume, you know, into that.
Justin Leapline:Yeah. So it gets bigger and bigger, you know, that's, taken out. But, yeah. And at the end of the day, it's just more expensive from the consumer. I think this runs in the PA state store two fifty.
Justin Leapline:Okay. You know? So not insanely crazy, but not an everyday drink, obviously. Yeah. Yeah.
Joe Wynn:Yeah. So if I'm not getting hallucinations here, 5% is about 2.6 gallons per year. And I said over twenty one years, how much would that be at Did
Rick Yocum:you ask AI to do this?
Joe Wynn:Yeah. Yeah. Yeah. So as Chatterjee Petit is not hallucinating here, if you're losing 3%, you're about 25 of that 53 gallon gone.
Justin Leapline:Yeah. About that.
Joe Wynn:And if it's 5%, you're losing 35 gallons of that 53 gallons.
Rick Yocum:It's a lot of product.
Joe Wynn:So you're basically half the barrel is gone.
Justin Leapline:Yeah. And one thing that's not well known is in Kentucky, you pay a tax every year on the product you hold Yeah. In the barrel. Yep. And you can I think you can write it off, like, on your losses, you know, into that, but they have to cut checks of the government on the volume that they hold every single year Yeah?
Justin Leapline:Which is kinda crazy to me.
Joe Wynn:How does it go down every year? Because they have less and less in
Justin Leapline:the balance. They can write off that, like, they it's almost Production losses. Yeah. Exactly. Like a depreciation, I guess.
Justin Leapline:You know, it's like, hey, we lost this, you know
Rick Yocum:Yeah.
Justin Leapline:Into that. So but, yeah, they pay taxes and, yeah, that's kinda crazy to me that they're not making money. They're not selling anything. They're just holding an asset, and they get taxed on that asset, you know, into that. Yeah.
Justin Leapline:Anyways No. Good
Joe Wynn:stuff. Yeah.
Justin Leapline:Cheers. Cheers, guys. Thank you. Alright. Going back into GRC engineering, like, we never broke from that.
Justin Leapline:Right? Now that
Rick Yocum:we had a drink, let's talk about GRC.
Joe Wynn:Exactly. You need to. You need to talk about GRC when you're drinking or you need to drink when you're talking about GRC? Yes. Okay.
Justin Leapline:Yeah. Good. So well, we
Joe Wynn:were thinking about how that concept fits into the other things we're talking about. And if we kinda, you know, go back to we're talking about, we have, you know, systems. We have AIs. We have AIs that run really fast. AIs that do things and are tricked into doing things.
Joe Wynn:AIs that break because of a code issue. Yep. So all these things. And so what are you hoping your GRC team does? You're hoping your GRC team maintains that second line of defense, Help hopefully, overlooking and overseeing what's happening.
Joe Wynn:Mhmm. And we're also hoping that our GRC teams are evolving and not, like, still having the the the paper or the word docs or the Excel? And how do we start to move from having a place where GRC is writing these policies and these policies are all kinda just in a file, And then you're expecting your developers, your engineers, your team to do this stuff separately. And, as we start thinking about GRC engineering, we start thinking about how are we going to well, let's let's let these systems start to represent, both into the policies and let the policies drive what's allowed to happen in the systems. But let's put that all in the system.
Justin Leapline:Mhmm.
Joe Wynn:So that's kind of the general concept of, this. What's the book you have there?
Justin Leapline:Yeah. So this is GRC Engineering for AWS, by AJ Yon. I picked this up probably about a month ago. I have not read through it yet, to be perfectly honest. But one of the things that I really like what AJ did through this is he gives a lot of for examples.
Justin Leapline:So I don't know if you'd for the people that aren't on YouTube, there's a lot of scripts actually into this, a lot of actual real world stuff that it gives that you can actually download and do this. And this is highly geared. Obviously, it says for AWS, so don't try to take this over to Microsoft, you know, into this. But, you know, it is the most used cloud platform. And, yeah, I think my personal opinion from a GRC engineering part, I've said this multiple times to different groups, I think it's the future, you know, into this.
Justin Leapline:Sure. But it's really hard to migrate from the mindset of traditional GRC. Like, if you walk up to, you know, you know, financial fintech organization and say, hey. We have all these GRC people that have been doing audits, but now we need some engineering people. They're gonna be like, what?
Justin Leapline:Why? Like, why do you need engineering people, you know, in a GRC role? You know? Like and so it takes a little bit of education for execs. But if you can demonstrate value, like, sometimes it it I I honestly believe it will actually give more payback at least in the GRC space than sometimes AI will.
Justin Leapline:Purely AI. Fully agree. You know? Like, just all the stuff of trying to measure and, you know, and provide assurance, like, you're pulling stuff. You know?
Justin Leapline:And the middle road, I recommend customers is can't your GRC team get a read only access into the environment? Like, can they pull the the the stuff themselves Yeah. Instead of pulling on the SMEs to, like, pull the rules and, you know, pull the configs. Like, if you have knowledgeable GRC people and they have the access and they can pull it themselves on, you know, write a test procedures, like, click here, pull here, download. You know?
Justin Leapline:They can do it themselves.
Joe Wynn:Oh, yeah. And I wouldn't even, you know, I would even like, you said maybe it's different than AI, but I won't wanna give the idea that we're not thinking that in integrating AI tools into this, it can be totally part of the solution. Absolutely. Yeah. Because what you're trying to do is go from documentation, meetings, and audits to solving software engineering problems that can accomplish the same thing, which is letting your controls be automated, testable, observable
Rick Yocum:Right.
Joe Wynn:Embedded in your cloud native, you know, frameworks and environments.
Justin Leapline:Yeah. I
Rick Yocum:I always feel like the good entry level GRC engineering is automating evidence generation.
Justin Leapline:Yeah. Yep.
Rick Yocum:Because No more screenshots. Right?
Justin Leapline:Yeah.
Rick Yocum:Yeah. Hey. Hey, admin. You don't need to you don't need to, like, take the screenshot anymore. Instead, we want you to execute the script.
Rick Yocum:Right?
Joe Wynn:Or let's create a system that just runs and it's just always able to say at any given time, here's what it looked like over so Right. What's it like an ISO audit? An ISO audit is not really looking for a ton of historical evidence all the time that your controls are operating. They're looking more for conformance. But a SOC two auditor is coming in, and they're looking for that thing that went wrong.
Joe Wynn:So they're gonna wanna know Right. Well, how did you know every day that this thing was okay? Well, instead of having somebody do a screenshot, where's your repository? And can it just go there?
Rick Yocum:Well, absolutely. And and does it have to be a picture or can it be a a scripted thing that generates data? Right? And and the code itself of the script is maybe screenshotted for perpetuity or put locked into a a place where, you know, only a couple people can touch it and it's fairly validated. But it starts to move you if you can move away from some of the slightly pain in the butt tasks or things that, people are e they typically forget to do, that that gets you quite a bit of brownie points often with the engineers.
Rick Yocum:But it also, from a GRC perspective, lets you start doing things like full population reviews as opposed to, you know, specific sampled reviews or or things like that. It also allows you to then and and again, this is sort of this maturity evolutionary evolution, but you can then start to do things like, oh, well, I have relatively recent copies of the data at various points in time. Are things getting resolved as quickly as I would expect them to? Or, yeah, it's not audit time yet, but I happen to notice that because we have the script running that this account wasn't removed in a reasonable period of time. Well, what happened?
Rick Yocum:Can we get in front of that? And now you're starting to dip your toe into continuous audit.
Joe Wynn:Right.
Rick Yocum:So I always think, like, entry level GRC engineering is very much just like, hey, just automate some evidence collection, and you'll be able to rack up a couple quick wins and evolve from there in a bunch of different directions.
Justin Leapline:Well yeah. And it even goes beyond that because, like, that's just, like, looking at the data and looking at the the deviations, you know, into there. You can also put solid guardrails to say, when you see the setting as this, now flip it back. Oh, absolutely. You know, it's like and then now you're controlling the environment to say
Joe Wynn:Control as
Justin Leapline:code. You know, with that. So with Terraform or with a lot of the controls within, like, you know, native cloud platforms, you know, you can actually build a template to say, here's how we're rolling out, you know, different instances, and here's our never change, you know, and here's maybe some flexibility, you know, into that and alert only, you know, type of things. But then you build it out into, yes, we know anytime somebody's coming into our environment, multifactor is absolutely enabled. Right.
Justin Leapline:There's no deviation to that. You know?
Rick Yocum:And then you just watch the script or the config or whatever that thing is that's doing that control for changes. And now you can be very confident that, oh, this thing looks like this. It works like this. Yep. It hasn't changed in the past quarter or week or month or year or whatever your time frame is.
Rick Yocum:Yeah, we're good. And I mean, this is like super aged information, but I don't think the theory has changed that much. Most big audit organizations, external audit firms that I know, and so typically, I would bounce my frequency testing off this is like, oh, if it's an automated control I mean, if it's important, you can test it every year if you want. But if you don't even necessarily need to. You can look at it every three years if you want.
Rick Yocum:I mean
Justin Leapline:I I I mean, you're basically just testing the validation that you're getting the right data.
Rick Yocum:Right. And if your change control is solid,
Justin Leapline:then Yeah. Such a smaller sample set. Mhmm. You know? Like, if you
Joe Wynn:have one is good enough.
Rick Yocum:Yeah. Exactly right.
Justin Leapline:If you have confidence on the the reportability of this and the validation, it's like, okay. I'm good from this point on. I don't have to test, say, you know, 20%, 10%, 50% if it's manual, you know, effort or something like that.
Joe Wynn:So if your change control is effective Yeah. They need to rely on
Rick Yocum:Yeah. Your access and change control becomes much more critical when you start relying on automated elements like that. Yeah. Because you you you just then have to evidence it and make that bulletproof. Yeah.
Justin Leapline:And once you get past I mean, obviously, it's a big lift at the beginning once you start down the automation, GRC path, you know, into that. But once you get to a happy place, you know, like, the amount of finding you head off is like, it it's basically turns into a onesie, twosie problem instead of all over the place.
Rick Yocum:You know? External audits can get a lot easier. Right? 100%. Yeah.
Rick Yocum:It I I've had some discussions where internal or external audit teams, but that are operating at layer three, look at the programs that have been set up when I'm managing layer two. And they go, well, let's talk about our reliance and reperformance strategy because we're confident enough in the program that you've built that we don't feel like we need we're not gonna get a ton of value spending a ton of time here. Like, we'll we'll look Yeah. But we're less concerned about this than we are at other places. And then everybody's super happy.
Joe Wynn:Oh, yeah. It goes from, you know, not annual compliance, but you're really just have continuous compliance.
Rick Yocum:Yes.
Joe Wynn:There's no, like, quick, you know, fire drill to do all the audit prep, get ready, make sure everything's good because it just gets good and stays good.
Rick Yocum:Yeah. And that's just a validation of design because Yeah. For practical purposes, your execution's solid. I call it my GRC Nirvana
Justin Leapline:after that. You're staring at a dashboard just making sure it's always green. Yeah. Right?
Joe Wynn:And that now now, do you even need to look at it? You can just train your MCP to just look at it and then text you when it's not
Justin Leapline:ringing. Exactly. Or yeah. You get alerts and everything. But that's essentially what you're doing.
Justin Leapline:You go into monitoring one. And that's not always okay. I mean, there's changes in the environment, new products, new things you're getting integrated, rules you have to be adjusted to accommodate, you know, new situations.
Rick Yocum:But your business as usual was so Oh, yeah. Absolutely.
Justin Leapline:You know? So I guess, you know, like, we all know the benefits to How how do you get there?
Joe Wynn:Oh, I was I was hoping you'd ask that.
Justin Leapline:Yeah.
Joe Wynn:Yeah. Because I was starting to think about, well, what do we need to start training the next generation of GRC people or the current ones? It's really like they need cloud skills. They need engineering skills.
Justin Leapline:Honestly, I mean, all you need to do is start taking some sys admins and put them into GRC. Yeah. You know? Like, that's
Joe Wynn:So you're solving it differently than I was saying. Yeah.
Justin Leapline:Yeah. I mean, admin sysadmins, they wanna script everything already, you know, into that. So you take people with native skill of cloud and, you know, and Yeah. You know, permissions. We I did this, like, years ago pre cloud.
Justin Leapline:You know, there's some tools that you can actually do the same thing for on prem Mhmm. Like Chef, Puppet, Ansible, if you're you're familiar with that. We actually did within our environment within gift cards, we put Ansible controls in and around all the PCI controls Mhmm. And tested it, and it would actually force the controls back if it changed. Yeah.
Justin Leapline:You know? And we were able to run this and then evidence it to the auditors. You know? So we're basically GRC engineering before that was even a term. You know?
Justin Leapline:Like, we didn't call it GRC engineering, but we're engineering basically all the controls within our environment and made it so that they're all audible within a a second of a script running. You know, it's
Joe Wynn:like Five years ago, you ever would have said to a sysadmin, well, let's look at your career path. Next in line for you is the GRC team. Right? That would have never been, but now actually, move from the first line of defense to the second line of defense. Yeah.
Joe Wynn:Start engineering some of the things that the GRC teams are doing. So now I'm having a different vision how you get there, and it may not be take the current GRC people who've been out there learning, understanding, getting more involved. So I'm creating a career map path here in my mind. Take those people who've been learning the hard way what it means to talk and educate the business leaders on business risk. They're gonna get promoted.
Joe Wynn:They might be the next chief risk officers, the next CSOs, and that's their path. Mhmm. And then as you start to look to backfill those people, now we go with what you said, Justin, which is start looking at sysadmins. Show them that there's a much more valuable place where they could be positioned in the organization, where they could start to move from having to how many GRC people get up at 3AM for a a down system? Not too many.
Joe Wynn:But the sysadmins do. So now what's the benefit? It might be you're moving to a more, you know, a different kind of job. Maybe one that, you know, I don't think I'd want an entry level sys admin moving into doing the controls code. I would want no.
Joe Wynn:I'd want somebody who had a little bit of background, some skills to start moving into that. And that's my that's my first take on a
Justin Leapline:new career path. Think, in my experience, the quicker path, you know, to get there from a role training perspective. I have met GRC people that have gone on the more technical route, you know, and then done some GRC engineering. They need more training, you know, into that. That doesn't mean they can't get there, but it's definitely a bigger lift Well, I can see
Joe Wynn:I can see it because I I kinda started off more as a sys admin and moved into security. Mhmm. So, you know, I could I could remember how to how to how to script.
Justin Leapline:You can kinda always go back to there. It was so funny. I was I was with a client and we're going through an audit together. I was representing the client and everything. We had auditors.
Justin Leapline:I won't say who it was from, but they they were technically inept. They're like, so what do you use for anti malware? We're like, well, we use Defender. Is that an anti malware software? I was like,
Rick Yocum:yes. Yes. It is.
Joe Wynn:The odd members asking you to tell them yes or no question about
Justin Leapline:the tool? Like Did they move on or I was just shocked they never heard a defender.
Joe Wynn:Right.
Rick Yocum:I'm like,
Justin Leapline:who hasn't heard a defender?
Joe Wynn:I used to play that video game twenty years ago.
Justin Leapline:Yeah. It was yeah. It was one of those things like, wow. You definitely don't have any technical skills.
Rick Yocum:Yeah. Not even close. Well, so I've actually implemented some of this at, like, three different places. One was very successful. And to your point, like, GRC Nirvana, feel like we got there, and then, like, two months later, they sold the company,
Justin Leapline:and that was disappointing.
Rick Yocum:But the the path because and I think you guys described it super well in terms of, like, the the talent the talent path. But if you're a manager Mhmm. Or a director in an organization that doesn't have this and you wanna start to dip your toe in, I mean, it's not super complicated, but the the way I've done it every time is the same. It's start by carving out your environment. So request that server or that resource pool in the environment or wherever you're gonna launch your automation stuff from.
Rick Yocum:Right? Make sure you get that infrastructure set up. It doesn't have to be big. It can scale over time. Just somewhere to start.
Rick Yocum:Make sure it's locked down to the point where you need it locked down. And the path I always took was and you guys know this about me, but, like, I IAM stuff is super close to my heart. It's also like a giant pain in the rear when and there's a bunch of kind of conceptually easy controls there that typically have a high volume related to them. So Like, nobody's at like Yeah. Everybody's not adamant.
Justin Leapline:Yeah. Right.
Rick Yocum:Right. Well, or even just like hire you know, new hire and termination controls. Right? Super easy. Like, how do people get assigned new stuff and approved for that?
Rick Yocum:How does transfers work? How do, you know, terminations work? And the way that I've always done it is taken the GRC teams I've had who understand the control the controls themselves and said, hey, I'm gonna go get a little bit of time. It's probably not gonna take a terrible amount of time, but from one of the engine for IAM stuff, like the active directory engineers that understands some PowerShell or know some scripting. Right?
Rick Yocum:And say, hey, just work together to automate this one thing. And that script for automated evidence pools is gonna live right here on our server, and this is how we're gonna do it. And then we can schedule the tasks or or whatever we want our orchestration layer to be. Right? And I'm talking a long time ago with basic stuff, but you can do all this stuff differently now.
Rick Yocum:But, ultimately, it's it's just carve out your environment, pick a couple controls, and then I would always just have my GRC people work with one or two of the systems engineers to start to build the thing. And then eventually what happens is some either some of the GRC people get excited about the the automation side and
Justin Leapline:go, oh,
Rick Yocum:this is kinda cool. Oh, I know a little bit of PowerShell now. Oh, and now I know some Python. Oh, wait. I can, you know, I I can grep my way through, you know, reviewing evidence.
Rick Yocum:Like, that kind of stuff starts to happen. And then the other it happens in the other way too where you get some engineers that are like, oh, this is way better than like, I I kinda like this controls thing better than, like, this operational chaos that I have to deal with on the daily. So you end up with this cross pollination that that works really well. So anyway, if you're a manager director that doesn't have this, I mean, it just starts with get a very small environment build, and then I would pair some of your GRC people with some of the engineers to knock out one or two controls, and then you build the framework from there.
Justin Leapline:Now do you get outside help to help you with that initial project?
Rick Yocum:I haven't. I mean, dude, a PowerShell script to be like if the system of record is we call it Workday. Right? A PowerShell script to be like, okay. An automated report extract from Workday into this into this place, review one file against another file, look for a termination date.
Rick Yocum:It's not someone's still there or not there anymore.
Justin Leapline:Like, it's easy. Yeah. I guess I was yeah. Stuff of that nature, maybe. And especially with AI, you can ask it to, like, do
Rick Yocum:something You probably don't need Yeah. To collaborate with the script or anything.
Justin Leapline:What about, like, if your organization's not using your aid in AWS and, you know, you're not using Security Hub at all or GuardDuty or, like, all the other controls into that. You know?
Rick Yocum:It's just like anything else. I mean, where are you going to look at the data? Right? And, I mean, the the very most basic way to do it is like, well, you can schedule most reports, and then you can script a comparison of one file to another.
Justin Leapline:Yeah. But, you know, if you have a whole bunch of instances and they're not all kinda uniform into that, you're basically running, like, Prowler or something like that, and they're all different.
Rick Yocum:And Yeah. I think that's
Justin Leapline:implement AWS organization to kinda unify some of the aspects to that.
Rick Yocum:That's a bit more of, I would say,
Justin Leapline:advanced use case. Would you like
Joe Wynn:That's not step one.
Justin Leapline:That's not step one.
Rick Yocum:Yeah. Yeah. Because I think what what happens is you start to do this GRC engineering stuff, and my experience is you end up finding additional reasons to support the simplification and consolidation of the technical environments. And where that's not operationally possible, you just make a call like, hey, this is easier to audit manually than it is to automate. Why would we automate it?
Rick Yocum:Yep.
Joe Wynn:Now one of the things that I'm glad you were talking about, like, identity and access management and getting deeply into that reminded me I I in prep for this a little bit, I was looking to see what some of that book's guidance was for GRC engineers. And and one of the things that said was learn AIM deeply. So really get into that. You know, I'll just share a couple of the other items is understanding network segmentation, VPC, subnets, routing, and if it is AWS from from that book, you know, learn AWS organizations
Justin Leapline:Yep.
Joe Wynn:Control Tower, things like that. Understand what CICD is and how, you know, controls, you know, plug into the pipelines. Yeah. So these are skills that I wouldn't say your typical GRC teams, at least a lot of the ones I talked to, typically have. But they're not hard to get those skills.
Joe Wynn:In fact, you can, you know, just you can actually get it's almost free. Right? You can you can get a free account on AWS for a while. You can take their training. It's all in there.
Joe Wynn:You start working your way through it. And I I think there are some AWS, like, call it a certificate certification. But it's
Justin Leapline:I've taken one, two. Yeah. Oh, they pay for certifications? Yes. They're paid for.
Joe Wynn:But they also have, like, their little free, like, you get this thing you put on your LinkedIn. You know, I did I took this course.
Rick Yocum:I Oh, yeah. Took this little test. Right.
Justin Leapline:Right. Don't know with those, but there are there are paid for. They have tracks and all that stuff and everything.
Joe Wynn:Right. And I was looking for, like, with if you're not even if you're in a place that's budget constrained and you wanna start advancing in this, there's there's material out there. Mhmm. And it's like no cost.
Justin Leapline:Mhmm.
Rick Yocum:But I I would also suggest, like, just be care don't don't overengineer your step one. Like, you don't need to have a fully automated CICD pipeline to do one easy I'm comparison.
Justin Leapline:And I agree. Yeah. I guess the the use case or at least the driver that when I get asked about it from a client is one of two ways. One, they're dealing with evidence fatigue. Yep.
Justin Leapline:Absolutely. Like, we have to deal with PCI, HIPAA, whatever it is, and you keep asking us for evidence all all year, every year, you know, multiple months because SOC two is, you know, in March.
Rick Yocum:And Well, there's eight different teams asking for Yeah.
Justin Leapline:Exactly. All that stuff. So getting evidence fatigue, you know, into that. But the other way is is Drift. You know?
Justin Leapline:Yeah. Absolutely. So, like, dealing with Drift between the different instances. So this should all be PCI, but somebody launched another other thing because we're scaling into another region, it and wasn't set up the same. And now there's controls in there that don't match to the control environment that what we're trying to do.
Justin Leapline:So that's where I was talking about like maybe the initial project potentially is bringing somebody in, helping you set it up and doing cross training into the GRC team. So how do we get security hub set up to measure these frameworks and pull the right evidence in? Cause it's not, it's not a 100%. They have built in frameworks. Oh, yeah.
Justin Leapline:But you have to enable GuardDuty. Yeah. Have to get in the right instances. You know? Does the map right?
Justin Leapline:You know? All that stuff. And that's where I think a veteran hand somewhere along the lines, you know, instead of a go take a course and figure it out. You know? Mhmm.
Justin Leapline:It it depends on the environment and all that stuff,
Rick Yocum:but Mhmm.
Justin Leapline:You can oftentimes get a limited project and get, you know, a week's worth of somebody's time to help
Rick Yocum:Oh, yeah.
Justin Leapline:Give a proof of concept and says, here's the value now that we have.
Rick Yocum:Well, and I think like most security tools, like, do you just start with prevent and blocking things and changing configs back? Or do you go, let's put it in monitor mode for a minute first? Like, I think
Justin Leapline:Yeah.
Rick Yocum:The way that I the way that I've always seen this done and and it also, I think, exposes a interesting conversation that we may or may not want to get into right now, but it's around, you know, is preventing drift of a specific config really a layer two function, or does that actually live in layer one? And then layer two is about monitoring for that drift.
Justin Leapline:Yes.
Rick Yocum:And then what are you building with GRC engineering? Are you building config, you know, can controls as code in layer one, or are you building the monitoring and observability bit in layer two?
Joe Wynn:Well, I think you end up getting involved to so if you have a, say, a a GRC person who used to be late line one Mhmm. And now they're in the second line, they're gonna be probably more successful at going and talking to the person in the first line
Rick Yocum:Absolutely.
Joe Wynn:To say, hey, you know, this setting here, why should it not always be that? Can we just have something that is always monitoring for that? And when it's not that, make it that. And that way, it doesn't change.
Rick Yocum:Exactly.
Joe Wynn:And then now, I'm gonna work with you and I'm going to build something that goes on to a dashboard or creating something that an auditor can look at at any given time. We're always audit ready. So the auditor comes in and says, what do you do? What's it supposed to be? And how do you know?
Joe Wynn:And so every time I sit in an audit, the first thing the auditor does to the group is, well, tell me what is your role and how do you help the security of this organization?
Rick Yocum:Right.
Joe Wynn:Alright. And so what control according to this control matrix or map, you're responsible for these controls. Tell me about how you handle this and how do you and then what do you do for it and then Oh, yeah. How how do you know that it's the right way? Yeah.
Joe Wynn:And if you can say, we've automated that. Here's the on the GRC standpoint from the second line of defense, we have this system. It's running. It's checking that. Mhmm.
Joe Wynn:And by the way, what we did was, well, we've never seen since we put this in place Right.
Rick Yocum:We've never seen change.
Joe Wynn:Deviation because the we also at the same time worked with the first line, and we said if you ever see this control this setting not that way, fix it. But as soon as you see it, throw a throw an alert. We'll catch it. We'll log it. We'll be able to say it was like that.
Joe Wynn:It was for seconds. And then, you know, what does that mean? That means that so if you have a zero tolerance, now you have a nonconformity. If you build your GRC, you build your governance appropriate, and you say, every month, we're allowed you know, we have a tolerance of 5% or in this case, you probably can go with 1% Mhmm. Of a deviation from this being effective.
Joe Wynn:And the risk of that, that analysis over here and we accept it now, we're at a point where we're still we don't even have a nonconformity because we built into our governance. We can have a, you know, that level of deviation for that amount of time and that's acceptable according to our governance. Now, you're running according to that internal OLA SLA.
Rick Yocum:Yeah. I fully agree with all that. I think my only note is I've been much more successful operating in a monitor mode for one month or three months or six months
Joe Wynn:before that.
Rick Yocum:Before I can get the operational teams to agree
Justin Leapline:Yeah.
Rick Yocum:To rely on my monitoring and automatically change something operationally whenever I see a bad monitoring path.
Justin Leapline:It's a team effort. Can't enforce some of this stuff without the operational team on board. In fact, like, you know, I mentioned that Ansible stuff way back in the day. Basically, the way we collaborated was, you know, I had all the controls. Mhmm.
Justin Leapline:You know? Like, a little bit pull from, like, some GitHub repos, modifications. Modifications. Yeah. And then I handed off to the operational team.
Justin Leapline:I was like, alright. Here are base controls. Tell me what works, what doesn't, what you would modify. And then we had a collaboration. He's like, this doesn't work because of this.
Justin Leapline:This doesn't work. This doesn't work. And then we came to a base, and we agreed. You know? And it's like, okay.
Justin Leapline:This is our base, and now we're moving forward.
Rick Yocum:And I I actually think that's one of the things that GRC engineering as a concept does. Yep. It's like one of those things that helps maturity extraordinarily, but doesn't get talked about as much as the automation component. It's just like the collaboration component
Joe Wynn:Yeah.
Rick Yocum:Yeah. And the communication stuff. Because now you're, like, talking the same language, you're working on the same stuff, and everyone's working towards, you know, kind of adhering to the same rule set Yeah. Which is different than GRC just, like, doing it in a vacuum being like, you did something wrong.
Justin Leapline:Yeah. And that's why another reason why I think getting a an ex system admin in there is a lot better because there's more of a peer into that than a GRC coming in with the knowledge. You can gain that. You know, there's it's not at, like, an absolute deterrent. But if you're like, I've configured this, now I'm just helping set rules of, like it's almost like I you've already achieved the my, you know, respect level,
Rick Yocum:you know, everything. I think that's probably true. And I think when I when I reflect on doing it in the past, I probably benefited quite a bit from having done, like, the the line one work before getting into the line two work because then I just like, oh, yeah. Well, this is typically how this works. You just speak in the same language to begin with.
Rick Yocum:Yeah. Yeah.
Justin Leapline:So, yeah, that's good.
Rick Yocum:So gins GRC engineering. Yeah. Go do that.
Justin Leapline:Yeah. It's good. I
Rick Yocum:Highly recommend.
Justin Leapline:Honestly, they it is the future, and anybody's experience pain through GRC, which if you have any GRC in your organization, it's pain, you know, into the initial. It's only getting get better with GRC, like with engineering mixed into that. So make a business case, get it up to your execs, get them to buy off on either getting a part time solution, like you get contract work to Oh, to do that. Joe, does your company do some of
Joe Wynn:that stuff? We we can help with some of that. Yeah. Yeah. And and I would even add that, you know, even just like splitting it out to smaller chunks.
Joe Wynn:Mhmm. You know, the first thing you wanna do and going with Rick said, monitor mode. So get some help, monitor some of the controls. If if you're a you know, what a lot of mature GRC teams have is they understand which controls have a higher, you know, non list of non conformities.
Rick Yocum:A sale rate or whatever.
Joe Wynn:Ones have more risk or it's controlling more risk. Those controls are more important. Or more attention. Yeah. And you need to put more attention.
Joe Wynn:So start with some of those, put it in monitor mode, and then see how many times that it's, you know, failing. So if you can do a small process, a small engagement to build, you know, five tests of your most critical controls and after a month, see how many times you've had problems there. Now you can take those things and have a real conversation with the engineering team on the first line and say, look, you know, how do we how do we start to remove some of these? Can you implement some things so that I'm not even gonna see this? Right.
Rick Yocum:Or there's times where you just go, oh, yeah. You're you're right. That's a totally normal use case. We need to change this control. Yeah.
Rick Yocum:Like, the way it's written is wrong.
Joe Wynn:Yeah. So
Justin Leapline:but yeah. And that's a lot of times like, you know, you know, AJ Young was recommending and I've been in organizations where they didn't implement AWS organization or Control Tower. And then while I was there, that was a big initiative and getting their 100 plus, you know, instant AWS instances under one umbrella was a great win, you know, into that. Then you're centralizing a whole bunch of stuff, you know, under that and able to enforce and measure, you know, into the that aspect there. Yeah.
Justin Leapline:It just it just built a ton of efficiencies.
Rick Yocum:And confidence.
Justin Leapline:Yeah. Yep. We get that insurance insurance level up. So, yeah, I think if you wanna look like a hero, you know, if you're in the GRC space and wanna look like a hero, definitely push this. You will not only win friends in who you're measuring evidence to, you know, but also to your board and senior management reporting.
Justin Leapline:You'll get more data. You'll get it, you know, lightning fast. It's it's there's nothing bad about it. It's just I think it's a mental shift, you know, essentially thinking about how you're gonna automate a lot of the control measurements. You know?
Justin Leapline:At the end of the day, enforce the controls at the end of the day. So I like it. Great. Do we have one more topic here?
Joe Wynn:Yeah. We have time.
Justin Leapline:We do have time. So I Unless it's gonna take another, like, forty five minutes.
Rick Yocum:We can lightning round it.
Joe Wynn:This could take forty five minutes
Justin Leapline:We'll be brief.
Joe Wynn:Go over all the things that we have notes on. But I'll let Rick, you you you called this our regulatory roundup because you were looking at our list and you saw what?
Rick Yocum:Oh, it's probably four or five things related to regulation or privacy and stuff like that. And then I think I I think it was you, Joe, but you you had sent a note around, oh, the EU might be pulling back on some of these things like, oh, let's just talk about all this together.
Joe Wynn:Yeah. Yeah. So the first thing, you know, so the quick summary here, the index is, you know, GDPR and EU, and then, you know, then we'll talk a little bit here about, you know, if you haven't heard the new ISO twenty seven seven zero one
Justin Leapline:Mhmm.
Joe Wynn:Twenty twenty five, I believe. Right? Is been released. But then there's also California has a new privacy and the SEC has the new SP Yep. Which kinda gets there.
Joe Wynn:And then if we still have time at the end, we can talk a little bit about CMMC, which is a low deviation from the privacy stuff. So yeah. I thought it was interesting when I saw that after all these years, the EU being the forefront for we're gonna have the, you know, world's most prominent and enforced and taken serious, you know, privacy Yeah. Is now talking about scaling back parts of GDPR and the AI act because some people have some concerns that these strict rules are hurting competitive competitiveness.
Rick Yocum:Yeah. I I I thought that was really interesting. I mean, I think those those regulatory bodies are seen as the gold standard in regulating that kind of stuff. Now you could argue whether or not it's good or bad or we like it or we don't like it. But as far as, like, robust programs, it is in the world for sure, like, edge.
Justin Leapline:Well yeah. And I have two things with that. One, I thought that this was really interesting seeing this article come out because last week, I saw an article that the member countries weren't happy enough that they're putting more strict regulations in, you know, into that.
Rick Yocum:So they were they were annoyed that the regulations weren't strict Yeah.
Justin Leapline:Yeah. Exactly. And but, you know, from a EU perspective, they're like, well, maybe we should lighten it up. You know? So this is basically, like, you know, doing a conflict that they're gonna have to, like, somehow muddle their way through.
Justin Leapline:You know?
Rick Yocum:Well, and there is an interplay here. Right? There's the general, like, GDPR regulation, and then member states can enforce stricter things where where they wish to do so within
Justin Leapline:They can. Yeah.
Rick Yocum:Some rules.
Joe Wynn:Yeah. And I think the big concern here was that they what they really wanna do is keep Europe from falling behind The US and China in, like, AI capabilities. And so it comes down to economics. So at some point, and, you know, I don't really like the way this is concluding is that privacy may not be as important as innovation and driving forward profitability.
Rick Yocum:Yeah. Go ahead. Or or or maybe maybe that could be reframed as maybe it's the importance isn't end debate. It's just the economic realities and what's expected of organizations in terms of sharing or resharing or monetizing. I think it might be more of an incentive problem than an importance problem, which are related, but,
Joe Wynn:yeah, different. Well, they wanna stay competitive without the, you know, regulation, you know what what's this one phrase here I saw is Europe's number one export product.
Rick Yocum:Oh, yeah. Oh, yeah. That was I forget who said that, but, yeah, one of the muckety mucks was like, yeah, our number one export can't be, you know, privacy regulation.
Joe Wynn:Right.
Rick Yocum:Right. It's an interesting point.
Justin Leapline:Yeah. But I don't think that's a right dichotomy, you know, into that, like, whether you get privacy but be more competitive or less. I think it's in the process, you know, and the oversight. So where do you put the enforcement? Do you put it on the agency of the company?
Justin Leapline:Like, if they mishandle it or do it outside the contractual bounds of the, what is it, the standard contractual clauses, you know, that they do and everything. Then they'll get punished. Or do you put it more that they have to jump through 12 hoops to even share it? You know?
Joe Wynn:Right. Right now, it's a huge problem to share. Right? Because but and with all these laws and everything, what I'm finding from just reading different contracts is so long that, like, if you're looking at a I was recently looking at a privacy policy for a website for a company in California, and it's had a lot of stuff on it for California law plus GDPR. And what it was getting to is saying that their way around all of this stuff is simply just posting in the privacy policy that if you're gonna use this site, you're consenting to all these things, and here's what we're gonna collect.
Joe Wynn:And if you don't like it, do not use this site. And at the end of the day, that was written in a very 20 some page privacy policy at the bottom of a website that to make it quite clear that we're gonna abide by the rules, but one of the rules are is that we are letting you know we're gonna be doing this stuff. Mhmm. And we'll have all your information. And we also give you the ability to contact us if you wanna change it or remove it or whatever.
Justin Leapline:Right.
Joe Wynn:Right. And so like all those things are in there. But but what it comes down to is with all this regulation and all these things that if you, for example, are doing customer support from a US based company to a site in Europe, you're actually need to make sure that you have some kind of contract that says the person's information who's gonna flow across the Internet and show up on the computer screen in The US even if it's RDP. Mhmm. Even if you're RDP ing into a a site in you know, you're keeping everything localized.
Joe Wynn:Right? Mhmm. That's one of the things you wanna do. And then you're viewing it from a screen here, it's still That's processing.
Rick Yocum:Yeah.
Joe Wynn:Yeah. Yeah. And and all of that seems a little crazy if you're controlling and protecting it all. But the fact is is that the EU governments do not want their EU citizens information showing up on a computer screen in The US Well without proper That's sign off.
Rick Yocum:True. But I think there's a couple things actually at play here
Joe Wynn:Yeah.
Rick Yocum:Because I I for hilarious, aggressive marketing email reasons, which I'll share with you guys a little later, I was looking at all of China's data privacy laws today. And
Justin Leapline:Kicks and giggles. You know? Yeah. Yeah. Well Next on the reading list.
Justin Leapline:Well, you know
Rick Yocum:you know these marketing emails that are that, like, gets sent to a CEO of one of your clients. It's like, hey. Everyone's you're you are super broken, and you're doing everything wrong. And you're like and then you get a question. Like, are we super broken and doing everything wrong?
Rick Yocum:And you go, well, let me look to make sure, but no, you're probably fine. That kind of thing. Yeah. But so so I was doing a a brush up on some of that stuff. And one of the things that's super clear and apparent is there there's a lot of law out there that is truly and intentionally targeted towards protecting the privacy of data and citizens and all that stuff in a, I think, somewhat reasonable way.
Rick Yocum:But ever since the Snowden disclosures, government governments have a vested interest in saying, hey, legally, you government in this other country are not allowed to spy on my people. And if you do, I need a legal basis to be mad at you and and and take some recourse. And that applies Recourse will never happen. Fair. But that doesn't mean it doesn't get codified into law.
Rick Yocum:Right? Right.
Justin Leapline:Yeah. Because how many frameworks that we have? We had the privacy shield. We have the like, we keep having the iterations of, like, sharing agreements, and they all get shot down at the end of the day by a court in the EU.
Rick Yocum:And then in addition to that, you have certain organize sort certain geographic organizations like Russia that have this pseudosanctioned well, threat actor groups kinda sorta operate at the behest of the government, but also not really, and they're kind of independent, but kind of oligarch led and all this stuff. Right? So what ends up happening is you have these, like, well intended privacy laws, and then layered on top of it is all this onerous stuff like, oh, and by the way, you're never allowed to move our data outside of our country. So much like you see in, like, US law where, like, one thing turns into, like, 30 things, and all of a sudden it's all being done at once, and it makes it kind of this weird unwieldy mess from a regulatory perspective. You see that in a lot of privacy law, some of which is in the EU, some of which is in other countries.
Rick Yocum:But, like, stuff that's intentionally designed to protect people and then layered on top is like, yeah, the onerous stuff that you're talking about. Yeah. Even if it's transmitted across, you know, across the pond and then it gets pulled up on screen. That counts as processing no matter what else you're doing. It's like, oh, because I agree with you.
Rick Yocum:Is that
Justin Leapline:really an issue? Yeah. But, I mean, there's ways around that 10 ways to Sunday, you know, type of thing.
Rick Yocum:Yeah. So find me a law that there's not.
Justin Leapline:Yeah. Like, first off, you assume that any type of agency spy agency is gonna listen to whatever the laws are, you know, type of thing, you know, into that, like, from a privacy perspective. You know, very unlikely. Then second is, like, even if you're not sending data, they're gonna get a a member state. You know, they're gonna give them $10,000,000,000 to say, okay.
Justin Leapline:Well, it's not leaving, but you can send it, you know, this Oh, sure. To us to, you know, this way. You know? Yeah. But, like, we get partnerships, you know, that we can query, you know, when we want.
Justin Leapline:So Yeah.
Rick Yocum:All that stuff. I'm not suggesting it's reasonable. I'm just suggesting the the evolution of it
Justin Leapline:Yeah. Yeah. Yeah. That was a good evolution. I I agree with that.
Justin Leapline:But I look at the kind of worthlessness of trying to actually put all these laws into place when they they'll never be enforced the way that they want them to be. You know?
Rick Yocum:Oh, so privacy theater.
Justin Leapline:Yeah. Exactly.
Joe Wynn:Yeah. There's probably some of that. So, you know, so with us I'm round Yeah. Yeah. I'm looking I'm looking to see what GDPR Did you just say about
Justin Leapline:that, by the way? Privacy theater?
Rick Yocum:Yeah.
Justin Leapline:Okay. Cool. I mean, kind of. But stamped. Yeah.
Justin Leapline:Trademark. Correct. That's right. Alright.
Joe Wynn:So every time I say that now, I gotta get you a drink. Yeah. So I I'm just looking to see what happens with GDPR here. Will this really take? Is it gonna get legs?
Joe Wynn:But related, just a few just just like a month ago or maybe two, ISO twenty seven seven zero one came out and the new version of it, the 2025, and it's the update since the 2020 or 2019. And what they've what they did was a couple of cool things, You know, now it's a standalone privacy information management system. So it's a standalone PIMS. It is they're separating the dependence that they had on ISO 27,001. Yep.
Joe Wynn:In the past, if you wanted to get a twenty seven seven zero one certification, you couldn't get that independently and have to do it as an add on after you already had your ISMS in place, your 27,001. So now you can simply just go and get a twenty seven seven zero one certification. Not now. It's gonna take, like, a year. So I was talking to some monitors who are ISO auditors and go through the whole ANAP and
Rick Yocum:because they have to get trained up on
Joe Wynn:Yeah. So there's probably about eleven, twelve months before they're going to be trained. And there's couple years before somebody who is running the 2019 version is gonna have to go through, that. But if you haven't seen it yet, just know it's out. Know it aligns with Nobody
Justin Leapline:has gotten certified on that? I thought I saw something.
Joe Wynn:Not the 2025 version. The 2018. Yeah. Because I don't think the auditors can audit to it yet because They're not certified to Yeah. That's what I was told by an auditor.
Justin Leapline:Okay.
Rick Yocum:And So if you see one of those stamps on our website.
Joe Wynn:That'd be very interesting to, you know, see and and please correct me you know, if there's also that I wasn't aware of. The but there's expanded guidance in it for data processors and controllers. There's more clarity on managing personal data within AI and, you know, the digital ecosystems. There's stronger focus on embedding privacy into the broader organization. But I do like that it was more intentionally built.
Joe Wynn:They used to say that the twenty seven seven zero one was like the standard built for GDPR, but nobody would quite go out that far in a way to say it. But this is more intentionally built to cross map to GDPR, CCPA, things like that. And so yeah, and if you so if you have twenty seven seven zero one twenty nineteen, you you gotta review it. You gotta go through and start your mapping process, you know, refresh all your mapping Yep. Look at the controls, perform you know, gotta reperform some risk assessments, take take a look at various things.
Joe Wynn:And I think there's a a few new controls in it and stuff, so you wanna make sure that you're getting those in place. And at some point, you need to schedule with your external auditor your transition audit. So that's the high level. It kinda kinda goes together with with that GDPR stuff. But what I'm So as
Rick Yocum:soon they get aligned to GDPR, the the GDPR is like,
Joe Wynn:well, maybe not. Yeah.
Justin Leapline:Maybe they'll
Joe Wynn:reduce their controls. Right. And and that's fine. GDPR can do that. Yeah.
Joe Wynn:I still think that if you're gonna go with a standard twenty seven seven zero one, go with it, select the controls that matter to you, justify them through risk assessments of which controls you're selecting and not, you know, and and kind of put that in place. So probably not much more to say on that, but I think there'll be updates that are coming as Yeah. You know, as it closer to the time where companies will have to do the transition.
Justin Leapline:So just looking at LinkedIn because everybody shares on LinkedIn when they get certified for some of it. It looks like there at least one company that has claimed twenty seven seven zero one certification.
Joe Wynn:Twenty seven seven zero one has been certifiable since, you
Rick Yocum:know, since it's out in '20 But you're saying 2025 version?
Joe Wynn:2025 version.
Justin Leapline:It was just released. Oh, but I thought that was one of the new changes with '20 seven seven zero one that you can get certified to.
Joe Wynn:Oh, no.
Rick Yocum:You can get certified without having the partner certification, without having the The '27 Yeah. Twenty seven thousand one. Gotcha.
Joe Wynn:Yep. Yep. As of right now, if you wanted to get twenty seven seven zero one, you'll have to have a preexisting or get at the same time 27001.
Justin Leapline:Yes. You'll be able
Joe Wynn:to do in a year from now is only get the 27701 independently. Meaning, you don't have to have your ISMS Right. Technically to get a PIMS. If you're an organization, that privacy is more important. Like, for me, I have a hard time grasping, like, why you wouldn't want both just because a lot of things I did always started on the security side.
Joe Wynn:Right. And I always felt you needed security in order to be able to properly control privacy.
Rick Yocum:Access is a prereq. Yeah.
Joe Wynn:But there are a lot of cross mapping and controls and controls in twenty seven seven zero one that are very much like security in aligned with the '27 Right. '0 zero one annex a. So there's there's some crossover there. They've made it complete enough that you can get it in place, you can trust the privacy with the kind of security controls that they say you you need. Yeah.
Joe Wynn:So that's, you know, that's the tie in of those. I think the next one on the list here was the California a b five sixty six. Do you remember the details on that one?
Rick Yocum:I do not, actually.
Joe Wynn:Yeah. I I think that's the one that California is putting in place requiring consumer then this probably isn't gonna affect a whole lot of people who are our listeners. It's really requiring consumer web browsers like Chrome, Safari, Firefox, to implement simple visible controls to let users send an opt out preference signal to websites.
Rick Yocum:And this is through their browser. Right? That's their the
Joe Wynn:browser. Yeah. Yeah. And the deadline for this to be in place by the browser manufacturers. So if you're about there and imagine if we have listeners who build Internet browsers.
Joe Wynn:If you're building an Internet browser by 01/01/2027, you must be able to support this opt out feature. So that's Which
Justin Leapline:I think has existed for a while now. At least in Firefox and Chrome, there are toggle switches that you can actually do that already.
Rick Yocum:What's the browser ChatGPT just released? Atlas. Yeah. Something like that.
Justin Leapline:So have no idea.
Rick Yocum:I wonder. Yeah. Interesting though.
Joe Wynn:I think continuing on, this one's sort of privacy related. It's the SEC SP. Mhmm. Yeah. So in May 2024, the SEC was modernizing some of the safe guard rules and disposal rules for financial environments.
Joe Wynn:So there's a couple of things you wanted to mention. You wanna
Rick Yocum:mention Yeah. Just if you're I and I and I think this only applies to publicly traded companies. Right? I'd imagine. Yeah.
Rick Yocum:Yeah.
Justin Leapline:Yeah. They only govern probably traded companies.
Rick Yocum:But so I I think the core behind this is if you're a maybe it's just for financial institutions too. Don't know looks
Justin Leapline:to
Rick Yocum:go. Institutions is what they call
Joe Wynn:it, which include broker dealers, registered investment advisers, investment companies, funding portals, transfer agents.
Rick Yocum:Yeah. So it's financial stuff. But I think it's basically saying that they reinforcing their need to protect some privacy stuff for their clients, but also doubling down on thank you. How they ensure that their sub processors or their third parties also protect their clients' data, I think was the main, if I recall correctly, the thrust of it.
Joe Wynn:Yeah. Yeah. And so larger firms are gonna need to comply with this by this the reason is this is a timely one. December 3 coming up here, and smaller firms will have until 06/03/2026 to meet the requirements. And, you know, some of the things in it.
Joe Wynn:If there's an issue, you need to notify effective individuals within thirty days when sensitive customer information's accessed or likely accessed without authorization. Customer sensitive information includes social numbers, driver's license numbers, biometric data, login creds that are tied to financial accounts. Yeah. And I'm looking here to see if there was something about the seventy two hour was this still another one that enforced a seventy two hour data breach reporting?
Justin Leapline:SEC already had that. Yeah. Yeah. Yeah.
Rick Yocum:But so Yeah. Was that it? I think that was most that was all the ones that I remember.
Justin Leapline:That all
Joe Wynn:the ones were privacy related, but then there was the you know, Justin, you found this article.
Justin Leapline:You wanna talk about it? Yeah. Sure. So there was an article out there. I'm actually
Joe Wynn:I think it was Forbes Magazine did it.
Justin Leapline:Yeah. So Seaman and Sea, they brought up that there's a real shortage of of otters out there Yeah. For the demand that's coming up. And I haven't I I haven't done a ton of CMMC. Joe, I think your company does
Joe Wynn:We do a lot of audit readiness for CMMC. So
Justin Leapline:what's the current situation with CMMC?
Joe Wynn:So November 10 is it went into effect. So that means that companies that are so mostly it's like primes and subs the subs the primes who are getting contract or starting to bid on contracts, those contracts were authorized come November 10
Rick Yocum:Mhmm.
Joe Wynn:To actually list CMMC as a requirement.
Justin Leapline:Okay.
Joe Wynn:Now, the difference
Justin Leapline:here New contracts have to follow it.
Joe Wynn:New contracts They have
Rick Yocum:to define what data is in scope. Right?
Joe Wynn:New contracts well, let me let me say this. The government puts out the contract Mhmm. And or the bid for contract. And the bids say that if you want to If you want If you wanna apply
Rick Yocum:To respond.
Joe Wynn:To yeah. This bid, if you wanna bid on this work, you will need to now be level one, two, three Mhmm. Mostly probably level two for of CMMC. And so Right. Before November 10 this year, the contracting parts of the government who were putting out these bids were not able to put CMMC in.
Joe Wynn:Although they were able to put the DFAR seventy twelve Right. Rules in before, which basically meant that since, like, the mid twenty fifteen ish time frame, you were supposed to be following NIST 08/1971. It's like that was something that was there for a very long time. What this new rule put in place wasn't that you have to comply with NIST eight hundred one seventy one. That's been something for a very long time.
Joe Wynn:It's now that we can have put in that you need to get an external audit.
Rick Yocum:To bid, you have to have the external audit. Passing external audit.
Justin Leapline:There has to be a grace period though.
Joe Wynn:No. The The
Justin Leapline:We got another cohost here. Is that Yeah. The Oh, anyways.
Joe Wynn:Yeah. I think one of our AIs went off in his phone. Right. Right. So one of the so because
Justin Leapline:I'm thinking, like, if there's, like, ten days left on a contract to bid
Rick Yocum:Well, I think the grace period's been, The last ten years.
Justin Leapline:Yeah.
Joe Wynn:No. The so what you so for the last several years, they've been telling companies, go get in line, get scheduled, get your CMMC, and for about the last eighteen months, they were doing these joint audits with DIPCAP and with c three PAOs from the very initial ones that were able to do it. So you said there's a shortage and that's right and I have some data I grabbed on that. But some of these like like, for example, we just, and you look at our LinkedIn, we just actually had one of our customers repost that we help them
Justin Leapline:Oh, awesome.
Joe Wynn:Get audit ready, and they passed their audit. They have their CMMC at level two. We've been working with that company since, I think, 2018, 2019. And as we're working with them, we were, taking them through various things just to help them strengthen their overall security. So because they knew one day they were gonna wanna, you know, be ready for, handling all this stuff, and they got in place to be able to to do it.
Joe Wynn:We took them through the audit. It was a nice it flowed really well. So now they with this certification, they have the piece of paper that says when a contract comes out from the DOD that they can They're allowed to bid. They can bid on it. And if you don't have it today They're you're prime allowed to there's I think they do both.
Joe Wynn:And if you're a company that doesn't quite have it yet and you want to bid, you can bid. But by the time that bid is awarded Right. You need to have your CMMC Oh, okay. Certification. That's your grace period.
Rick Yocum:But they've warning but they've been warning this for years.
Joe Wynn:Yeah. Like three years. Yeah. You know, there was I was listening to a different podcast where they were talking about the history of it. I just finished that this morning, and it was quite interesting.
Joe Wynn:So
Rick Yocum:But so what was the article? The article was
Justin Leapline:Yeah. That I
Joe Wynn:I can talk about it a little bit.
Justin Leapline:Yeah. I don't have it in front me.
Rick Yocum:Well, there's not enough c three PAOs. Right?
Joe Wynn:There's not. The new challenge so I guess there was an ISC two Security Congress happened in October, and one of the things came out was nowhere near enough assessors to evaluate the 200,000 plus organizations that are gonna be required to meet CMMC level two. And this is expected to be, you know, more disruptive to federal contracting than any single CMMC control. One of the things like 32 CSF part one seventy requires CMMC level two assessors. Our assessments have multiple assessors.
Joe Wynn:And to become an assessor, you must clear a tier three federal background check, which should which usually takes six to eight months on average to complete. And so that means that three p a c three PAOs, third party assessors, wait list right now, the c three PAOs wait list to get on there. So if you so say that, Rick, you wanted to go and you're like, hey, you know what? I'm gonna do this. Yep.
Joe Wynn:Sign me up. I'm gonna call up the local c three p a o assessor. I wanna get on the list. Can I get scheduled for next month? No.
Joe Wynn:You can schedule for a year from now and next month. Mhmm. They have a year long wait list. And, you know, that that's just the big thing right now.
Rick Yocum:Well, so then that's if I wanna be able to do the audits. Right? So if I if I we No.
Joe Wynn:That's if you Want to get an audit. You wanna get an and you go to a current auditor Mhmm. Their backlog's a year. Got it. They have no shortage of work.
Joe Wynn:Right. And the time it's gonna take for now, say you wanna become an auditor, so what's gonna have to happen? If you don't have your level three background check, that's gonna be
Rick Yocum:one of going.
Joe Wynn:And if your company Do
Justin Leapline:you have to do level three? Because most companies are what? One and two? I don't know the population.
Joe Wynn:No. No. No. That's different. I'm sorry.
Joe Wynn:That's different. Confusing two things.
Rick Yocum:He's got a level background check.
Joe Wynn:Yeah. Level CMMC has a level one, which is basically like a couple dozen controls. Right. Level two is all of the hundred one seventy one controls, and level three is like your, you know, your your major government contractors, your multi billion dollar manufacturer.
Rick Yocum:The most stringent version of CMMC stuff.
Joe Wynn:This is different. This is tier three is what I should have said. Federal background checks. Those take six to eight months. So if we don't have All our
Justin Leapline:auditors need that? All or three.
Joe Wynn:Yes. Yeah. If you're an auditor well, actually a level CMMC level one doesn't need an audit.
Rick Yocum:No. I didn't know
Joe Wynn:that. It's more self assessment.
Justin Leapline:Oh, okay.
Joe Wynn:You can self attest. Right. Two, you need to be able to get the audit. Mhmm. And if you wanna become an auditor
Rick Yocum:You need the background check.
Joe Wynn:You need that and ace Crazy.
Justin Leapline:What like so they need to optimize that.
Joe Wynn:And and the but they wanna make sure that they don't have people in there who are auditing companies who might come into contact with CUI Mhmm. And as part of the audit and not have a cleared federal background check. Yep. Because this is federal information that they're taking a look at. So they wanna make sure that people looking at this data, you know, have that.
Joe Wynn:And the other the other piece of that is is that I read two things. It was a little conflicting. I think it's might you might only need two, but somewhere I read you might need three auditors on a single audit.
Rick Yocum:That's interesting.
Joe Wynn:You can't have just one. Wow. So Rick can't get
Rick Yocum:It couldn't just be me and be like, hey, I'm gonna do it and you, Justin, also have to do it and we have to find another
Joe Wynn:You need to have a company that also is able you know, this is kind of in line, I think, you know, being, you know, this piece from the PCI world. Right? You couldn't just, you know Justin, you have all the experience to do PCI audits. You you single handedly can't go out and become a PCI.
Rick Yocum:Assessor? I can. Auditor?
Justin Leapline:A company.
Joe Wynn:Through a no. But, yeah, just through a company. But can your company, with only you, do it or do you need more than one?
Justin Leapline:I need a QA somehow.
Joe Wynn:Yeah. Yeah. Okay. And so I'm not sure if that's the reason
Justin Leapline:why But technically, I could do the entire audit by myself. Mhmm. Okay. Gotcha. Requires one senior whatever QSA onto that.
Rick Yocum:But c three PAOs need some They need to
Joe Wynn:have least two, maybe three depending on whatever's reading that
Justin Leapline:they're What's the justification for that?
Joe Wynn:I I didn't I didn't get into that. No. I
Justin Leapline:don't know. But I'm kinda curious, like, why would that even make sense? Why are you forcing multiple auditors on a single project? I don't. You know?
Rick Yocum:No. The answer Yeah.
Joe Wynn:That that was built into it's actually built into so if you wanna read on this, it's 32 CSF part one seventy that law Yeah. Requires that you have multiple assessors on a CMMC level two or higher assessment. Now and and then, you know, and then you take that, you take the fact that you had need to have multiple, then you take the fact that you that you're gonna have that these current auditors are a year wait time. And and if you wanna become a new one and you haven't had your background check, you got at least a six to eight month wait before you can even be passed.
Rick Yocum:And that's for the background check. But if I'm correct, to be a c three p a o, the organization side, because the people need the background checks.
Joe Wynn:Right.
Rick Yocum:The organization itself needs certified to be able to do the thing. Yes. And I don't know if that timeline is shorter or longer
Joe Wynn:than ever into that, but yeah. Yeah. That just more exasperates this problem. Actually,
Justin Leapline:that that does make a little bit so I have experience on the FedRAMP side of that, and they have specific roles. There's, like, five roles that have to be fulfilled within the FedRAMP.
Rick Yocum:And the same person can't do,
Justin Leapline:There are some exceptions into that, but But typically. Typically. Yeah. Like, you have to have a head pen tester, you know, and a head auditor, you know, so technical slash audit, you know Yeah. Side of things.
Justin Leapline:But so But they don't have the requirement to do, like, background
Rick Yocum:and stuff. Yeah. But so the the overall impact here, theoretically, if thing
Justin Leapline:everything Not big background checks like that, you know. Yeah.
Rick Yocum:Yeah. But so if everything kind of stays as it is, relatively speaking, it sounds like there's gonna be a lot of organizations that can't get certified in time to actually bid on the contracts that they might need to bid on.
Justin Leapline:Right.
Rick Yocum:Or they might wanna bid on.
Joe Wynn:They will bid on them and they will not be qualified to sign.
Rick Yocum:Oh, that's right. They could even they could even be selected, but then Yep.
Joe Wynn:And also falls through. Get the whoever was second in line will get it.
Justin Leapline:Or could there be exceptions?
Rick Yocum:I Well
Joe Wynn:don't think the rule makers are
Rick Yocum:Could they do yeah. There's not supposed to be, but I would suspect that, like, depending on the size of this operational problem by the time they get there Right. I mean, you're not just gonna stop all manufacturing.
Joe Wynn:Stuff will change as as you go because it's changed so many times in the last several years. I mean, this
Justin Leapline:situation has lightened up on the certification or the background check. That's way too long from a operational standpoint.
Joe Wynn:Well, you know, the you're so you're saying that maybe they'll have to not have a tier three federal background check with something that's not as detailed.
Rick Yocum:Yeah. Go go go let a third party do a standard background check.
Justin Leapline:Criminal Court. You know, all the stuff and everything. Like, yeah, because that tier three means they're doing interviews with friends and family, all that stuff and everything. Like, yeah, okay. Let's look at their background like, do they have something in the past?
Justin Leapline:Like federal, state, seven years going back, all that stuff.
Joe Wynn:Yeah. I I don't know. That'd be very interesting.
Rick Yocum:Now, to make Okay. I just say I'd be interested in like the general timelines there. So they say they loosen that and that's no longer the bottleneck. Are we already so far down the road?
Joe Wynn:Well, have 200 that well, here's what I'm seeing is I have I have companies coming to me saying that someday I think I might wanna bid on DOD stuff, so I wanna be ready. Mhmm. So they're not even doing it yet. And so they're starting to come to us saying, I I may want I wanna be prepared and the first thing I wanna do is get my NIST eight hundred one seventy one assessment and my company CISA will do those for you. Mhmm.
Joe Wynn:And the
Justin Leapline:And you're CMMC certified. Are you a RPO? No. Yeah. That's what
Joe Wynn:it We we have RPs. Yeah. Our company is not an RPO. We have it on our road map to potentially see if there's enough market for what we're gonna do for it. But everything I'm talking about right now is showing that, yeah, it'd be a good idea.
Rick Yocum:There might be some.
Justin Leapline:Yeah. And
Joe Wynn:so but we've, you know, and and the fact that, you know, we've had, like, some good successes lately. We're pretty motivated to look into that.
Rick Yocum:That's great.
Joe Wynn:But evaluate but 200,000 companies needing to do this and not having more than, like, hundreds of auditors, like, 600. I I I think I saw something around, like, in a 600 range of auditors out there to be able to do this stuff. And that's individuals or or Individuals. Individuals. And you need a couple on them at a time.
Joe Wynn:These audits take a week. You know, you slot a week. You're gonna keep grinding through them. Companies, these 200,000 orgs that they haven't not all of them have come to the realization that they need to do something yet. Some of them, you ask some of these orgs that they're still surprised.
Joe Wynn:I can't put these controls in place.
Rick Yocum:Right.
Joe Wynn:What is all this new control stuff? No. This isn't new control stuff. You signed a contract back in whenever that's for the last ten years, you were supposed to be doing $801.71. Mhmm.
Joe Wynn:This is all the only thing new the only thing new on November 10 was we require an audit Mhmm. To prove you were doing what you're supposed to be doing. Yeah. Yeah. Yeah.
Joe Wynn:More than an attestation, I did say this is like an official audit versus like SOC two That's
Rick Yocum:true evidence for you.
Justin Leapline:Yeah. I guess I I put that in like, yeah, attestation of an auditor, you know Gotcha. Yeah.
Joe Wynn:Now to make the whole thing worse, and I found this part very interesting in the article was that, like, all this is for DOD bidding. But just as everybody I expected this would happen. Once the one branch of the government's coming along or one agency and the government's coming along and say we're gonna do it, others are gonna do it. So we're starting to see rumors of the General Service Administration, GSA.
Rick Yocum:Oh. NASA. Yeah.
Joe Wynn:Department of Education. For sure. Department of Treasury. Department of Health and Human Services, like HHS, OCR for HIPAA stuff. They're all starting to use the same term of CUI, c y.
Joe Wynn:Yeah. Confidential or
Rick Yocum:Controlled unclassified information.
Joe Wynn:And from this and and so now they're starting to do that, they want to figure out, well, who you know, what kinds of things are out there and how can I get some sort of so if I wanna process not just that, imagine all health care companies? Yeah. If you wanna process PHI, now you need to get CMMC certified. That'd be very interesting to see if they go that full direction.
Rick Yocum:Yeah. They've been
Justin Leapline:talking about going over and actually retrofitting HIPAA, and they were looking for more budget to actually do assessments or to get something along that line. Oh, yeah. It's kinda died over between administrations Yeah.
Rick Yocum:I remember that.
Justin Leapline:Type of thing. But it'd be interesting if they went down the c b m c auditor route and said, here's a different framework, but you're all certified auditors. Just go, you know, type of thing.
Rick Yocum:I I think it's interesting. You know, my my understanding as I followed the history of all this early days was they were setting up the whole marketplace ecosystem of auditors to try and avoid the fact that they didn't have enough internal government employees to do all these audits. Right.
Joe Wynn:And they well under shot.
Rick Yocum:And so they built this whole ecosystem to try and establish that.
Joe Wynn:And CMMC AB.
Rick Yocum:Still still in a I don't know if it's exactly the same, but maybe a similar boat where it's like, oh, I don't know that we're gonna hit these deadlines.
Joe Wynn:Oh, yeah. Exactly. They're they're gonna run into the same stuff. So the difference with HHS OCR, that was more just a government deciding they wanna do these audits and not have enough auditors. Whereas in this case, it's, you know, the DOD is making it pretty mandatory.
Rick Yocum:But that was the conscious decision is because because they wanted to make it mandatory
Joe Wynn:Yeah.
Rick Yocum:Is they they felt that they had to go external.
Joe Wynn:Oh, right. And then right. I see your point. Yeah. Exactly.
Joe Wynn:So that's why they created the CMCAB advisory advisory board.
Rick Yocum:Yeah. Advisory board.
Joe Wynn:And and they they're the ones that have to bless thus
Rick Yocum:c three PAOs. Certification process for them.
Joe Wynn:Exactly. So another interesting piece from the article that came out of that ISE to what was it called? Their Security Congress was there was probably, like, four or five different facts I thought were pretty cool. But the one that really stuck with me was, you know, what do you need to do? You need to get in and embed CMMC into your enterprise risk management.
Joe Wynn:So the, you know, the first control in in risk assessment is how your organization is assessing the risks before you even get to the point of handling QE. So that's one of the things that, you know, the one the speaker had had brought up down there. And, you know, if you're really and then just kinda wrap this up. The big takeaway is that if you're expecting to wanna do work for DOD or sub to a prime
Rick Yocum:Right.
Joe Wynn:You know, get in line now for your assessment.
Justin Leapline:Should have started this a year ago, two
Joe Wynn:years ago. You should have. That's what we've been saying.
Rick Yocum:But a lot of people didn't because the program itself was so chaotic and changed so much over time.
Joe Wynn:They just didn't trust that it would happen. And the thing is as though listening to a couple different podcasts that weren't related to this is the one thing that stayed consistent no matter who was the administration, who were in charge of the various departments, everything from, you know, the the the people who were really impacted by all these government breaches.
Rick Yocum:Mhmm.
Joe Wynn:I mean, you know, that that's what really motivated this. And now we're at the point where it's finally happened. While you could see the shiftiness of the thing and the uncertainty that was never changed that they were gonna do it. Yeah. And there was never a question there.
Rick Yocum:Absolutely right.
Joe Wynn:You know, so get in line, call up, know, for I would do two things. One of them self serve serving here. But the first one is get in line now for your assessment. Yep. Get with that c three p a o.
Joe Wynn:Get registered. I really hope that if you're gonna do that, you already have your 80171 controls in line. But if you don't, call up my team at CSO. We'll help you conduct an initial gap assessment, get you to a point where you can create your plan to close those eight hundred one seventy one gaps.
Rick Yocum:Yeah. Well, I mean, you have the RPs on staff, but I would argue with your order of operations. I would say call CISO first only because, like, implementing these controls is gonna be the long pole. And if something shifts, it you know, maybe it's gonna be the you don't know. Maybe it'll be a certification date or not or they'll grace in for a year, but you're still gonna have to do the thing.
Joe Wynn:Well, yeah, one of the requirements is you gotta be able to put in your SPRS system. That's part the SPRS system is a system out there that the government put in place. You have to put your score in, that your score is your self assessment of your Mhmm. One seventy one controls. Yeah.
Joe Wynn:And, one of the things that happened when I don't know if I have a note on this, but one of the things that happened when companies were going through and doing that is they were finding out that while they were scoring themselves perfect when
Justin Leapline:Oh, yeah. Some place in Texas that The DipCap. They're like one of the first ones to do that. They're like, yeah. We're good.
Justin Leapline:100%.
Joe Wynn:Yeah. And when the DIP cap came in and said and they did one of these audits on behalf of the government and they came in and looked at it, they actually dropped by a 100 points. Oh, yeah. So they they scored a 10 instead of one ten. And I mean,
Justin Leapline:that that's just reemphasizing the the entire problem that CMMC
Joe Wynn:Right.
Justin Leapline:Absolutely right thing to
Joe Wynn:do. It's intended to fix.
Justin Leapline:Yeah. Exactly.
Joe Wynn:And then other things that were coming out, heard this this morning on a different podcast was the you know, you're they're putting their poems, and they're putting poem dates in of year like, you know, so we're 2025. They're putting in the year 2100.
Rick Yocum:Oh, and that's your that's your remediation plan for issues as your poem.
Joe Wynn:Yeah. They're they're putting in the this will be corrected in like a hundred years.
Rick Yocum:Yeah. We'll fix it eventually.
Joe Wynn:And they're like, now wait, do you guys realize that the government's actually has access to this and they're reading these these reports? So it's it's all right there. So don't wait any longer.
Rick Yocum:Yeah. Get it fixed. And I'd say start start with controls and and get in line with your c three PAO for sure. But also
Joe Wynn:Call us up. We we know some c three PAOs. I don't think I don't know how many strings I can pull, but at least I'll make introductions of ones that are gonna be efficient and help you get it done.
Justin Leapline:Awesome. Yeah. And they'll prioritize on your is it contract renewal? So if you're in the middle of a contract.
Joe Wynn:Yeah. If you're in the middle of a contract and you're good and a contract's good for the next couple years, you don't have to worry about it. But if you're gonna bid on something that's coming out now and, you know, how long these big process will
Justin Leapline:take. Contract.
Joe Wynn:Yeah. Or a renewal of a contract, they're gonna put it in. The contracting officer for the government will put that in and say this is the requirement and they get to specify, do you need level one, do need level two, level three, and, you know, on average, most will be level twos. And that's exactly how it'll Yeah.
Rick Yocum:Well, and it and it's worth noting too. I mean, even if the government decides to shift a little bit on timelines of what's acceptable, they're talking about the primes. The primes can set whatever expectations they want with their subs, and I've seen situations in the past where those big primes are very rigid with respect to what they expect.
Joe Wynn:Right. Because it's from their subs. Vendor risk management program is looking at that. That's a good point. I didn't even cover that.
Joe Wynn:I'm so glad you brought that up because you're you're you're absolutely right. The majority of those 200,000 companies are probably not going direct to the DOD. They are trying to work for primes. And what they're trying to do for primes are really simple things. It might just be, I need to take this piece of aluminum and bend it in a very particular way.
Joe Wynn:Yep. But in order to do it, I need I need access to There's a CAD
Rick Yocum:file that tells me how to do it.
Joe Wynn:Yeah. Yeah. It's up to the prime to say, well, is that vendor processing things for me that I feel comfortable saying they only need a level one? Or am I gonna be more conservative as a prime because I don't wanna lose being a prime for some problem that happens with that vendor?
Rick Yocum:And if you're a prime and you got in line and you have your thing, why why would you seek the exception with the government to have a sub? Like, I mean, there's just things
Justin Leapline:And I actually saw it was months ago, there was a bunch of questions going up to CMMC and the board and everything, and it was a big sub. I forget exactly. It was like a Lockheed Martin, like, you know Yeah.
Joe Wynn:That style company.
Justin Leapline:Yeah. Big big company. Does a lot of work with the government. And they're like, are are you are you serious? Like, we're at risk if one of our subs aren't compliant with CMMC.
Justin Leapline:Oh, yeah. And they're like, yes. Get out. And they're like, like, it was basically just a question answer, and it was like, yeah, like, if one of our subs are compliant, that doesn't affect our status. Like, no.
Justin Leapline:It does. It does affect your status.
Rick Yocum:So I would say, if, you know, if you're a sub that works for a prime and that prime has gotten their certification or planning on getting their certification in time, just recognize even if the government decides to relax a little bit on some of the specific requirements, your prime could still have certain expectations that are not aligned.
Justin Leapline:And they're gonna get more with that verbiage and everything. That was basically the outcome is like, now that your prime is gonna be, you know, up your butt to make sure
Joe Wynn:Three years ago
Justin Leapline:Yeah.
Joe Wynn:I started getting calls from companies, like small manufacturers out of like West Virginia who have been asked by their prime
Rick Yocum:Oh, yep.
Joe Wynn:Are you NIST eight hundred one seventy one or are you fully all the way there?
Rick Yocum:I I had the same thing. Yep.
Joe Wynn:Yep. And the the the company had no idea what they were they were like, I don't even know what you're talking about.
Justin Leapline:Right. What's January? Yeah.
Rick Yocum:Well and this was so early in the program that, like, the big primes were like, hey. We were told we had to do this, so we entered it into our vendor management program. And we just, like, copied and pasted the language, and all these subs were like, what data are we even talk like, what is what do I even need to secure? And, like, nobody knew. Yeah.
Rick Yocum:I yes.
Joe Wynn:They weren't clear on what on CUI they had. No. And they weren't doing any kind of segmentation
Rick Yocum:Yep.
Joe Wynn:Or even clear declaring their whole organization as in scope. Yeah. 100% right. So I'm so glad you brought up the primes and the sub the primes because majority of this is gonna be subs
Justin Leapline:Oh, yeah.
Joe Wynn:Who are gonna lose their contracts with primes. They're probably pretty good contracts. They don't wanna lose them, you know, get this stuff in order. Yeah. And Justin, by the way, I love this t shirt.
Justin Leapline:That's a picture. Right? Yeah. I was gonna mention that. That's a I dig slick t shirt there.
Justin Leapline:Yeah. Wish I had one. You probably have a
Joe Wynn:you had a bag full
Justin Leapline:of a lots of Microsoft. Yeah. So I think to wrap this up and everything, there's gonna be a lot more work coming from, like, virtual CISO, virtual GRC stuff for a lot of these subs and everything, I can imagine. Like, especially the small manufacturers are doing a piece out of a bigger contract and everything. Yeah.
Justin Leapline:Like yeah.
Rick Yocum:And if you are a sub and you don't wanna deal with too much of it, you could also consider having CISO help you out with some GRC engineering potentially. Yeah.
Justin Leapline:Yeah. There
Joe Wynn:you go.
Justin Leapline:Get it all automated. Yeah. Awesome. I think that's a wrap here.
Joe Wynn:Brilliant. Good. Awesome.
Justin Leapline:I love it. Yeah. Alright. Well, thank you everyone for joining us for episode 19. Don't forget to comment, like, and subscribe.
Justin Leapline:We're really trying to push up these numbers here, and thank you for joining. See you next time. See you all. Bye.
