NSA's Secret Weapon for Small Business FedRAMP and CMMC Security

Show Notes

Welcome to this episode of the Reckless Compliance podcast, brought to you by Ignyte, where we explore cyber risk and compliance in the defense sector. I am your host, Max Aulakh. Today’s guest is Rose, an NSA liaison specializing in cybersecurity collaboration.

Topics we discuss:

• The NSA’s cybersecurity mission and its role in protecting the defense industrial base (DIB)
• NSA’s free cybersecurity services for small businesses, including threat intelligence collaboration, attack surface management, protective DNS, and continuous autonomous penetration testing
• How these services align with CMMC requirements and help small businesses improve their cybersecurity posture
•  The importance of public-private partnerships in strengthening national cybersecurity

Tune in to hear Rose’s expert insights and find out how your business can benefit from these free NSA cybersecurity initiatives.

Max Aulakh Bio:

Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.

Connect with Max Aulakh on LinkedIn
Connect with Rose on Linkedin 

Ignyte Assurance Platform Website

Transcript

[00:00:00] Max: Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance, brought to you by ignyteplatform.com If you're looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or if you're a security pro within the federal space looking for a community, join us.

We'll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn't matter what type of system or federal agencies you're dealing with. If you've heard of confusing terms like ATOs, FedRAMP, RMF, DISA, STIGS, SAAB, SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMS, we'll break it down all one by one.

[00:00:43] Max: And now here's the show. Hello everyone. My name is Max Aulakh  and welcome to this exciting episode. Our first episode of the year of Reckless Compliance, where we learn unintended consequences of bad compliance. So today we've got a pretty exciting guest. Her name is Rose. She works with the NSA. She's one of the liaisons for something called cybersecurity collaboration.

[00:01:05] Max: We're going to learn about that because there's a lot of benefit to small businesses, the defense industrial base. And we're also going to learn about how does CMMC or how does NSA interact with CMMC? So without further ado, Rose, welcome to the show. How are you doing? 

[00:01:21] Rose:Thank you for having us. I'm so excited to be here to talk to your audience.

And I'm happy to share a little bit more about what we do at the agency in this space. We have such an exciting mission. So yeah, I'm happy, happy to be here. 

[00:01:35] Max: Awesome. So definitely want to hear about the agency's mission because obviously we've seen NSA all over the movies. They do many different things, but before that Rose.

[00:01:44] Max: Tell us a little bit about yourself, your background, how long you've been at the agency. And then after that, let's dive into the mission of the agency and this initiative. 

[00:01:54] Rose:Absolutely. So thanks for the warm welcome and the introduction. I have been with the DOD for over 25 years. I started my career in the United States Navy.

I joined as, first as an engineer, I thought I wanted to be an engineer, but. I quickly realized there's so many different missions in the Navy. And I wanted to do something, you know, a little more exciting. So I got into this field of cryptologic as a cryptologic technician. So basically I've been an Intel analyst for the majority of my career.

[00:02:22 Rose: you know, once I got out of the military, I did join the DOD and eventually NSA. So I've been with the agency for about 14 years. And I'm excited to continue my journey and working in the intelligence space. 

[00:02:35] Max: That's awesome. Crypto analysts. What a cool title. Right? Like it's one of those titles that I think you'll hear on TV to attract people, but definitely a very cool title.

[00:02:46] Max: So tell me a little bit about the agency, what you guys do in context of CMMC. I know NSA does all sorts of things, but a lot of our listeners are the defense industrial base and they've got this CMMC thing. The final rule is out, but tell me a little bit about your mission and what you guys are solving.

[00:03:04] Rose: So I'm going to take a, I'm going to take a very broad approach and then I'll drill down a little bit. So at the National Security Agency, we have two main missions. We do a signals intelligence, which is our foreign mission. It's all intelligence based. And then also we have a very big cybersecurity mission, and that is to help protect and defend the defense industrial base and our national security systems.

[00:03:26] Rose: So between those two missions we focus on making sure that we are producing intelligence. But also, in this new mission that we stood up at the Cybersecurity Collaboration Center, we stood this up four years ago with our main goal to do private public partnerships, and using our great insights to share with industry in order to help better protect the defense industrial base and our national security systems.

[00:03:50] Max: Nice, nice. So I actually didn't know that I knew about the foreign and the national security systems, but is adding on DIB, the defense industrial base, is that a new thing, Rose, or is it always been part of NSA? They 

had DIB, I believe they delegated special authorities to NSA to help do that for the defense industrial base.

So we do have quite a bit of unique authorities that enable us to do that. Exactly. That 

[00:04:14] Max: awesome. Awesome. Thank you. You're welcome. So a lot of our customers and also just people that we interact with, they're kind of confused between a lot of different agencies. We've got NSA, DC3, DCMA, the Cyber Accreditation AB, taking away all of that, right?

[00:04:30] Max: Bunch of acronyms. What is it that you guys actually provide to businesses, like in the defense industrial base, small businesses? What is it that you guys actually do for them? 

[00:04:41] Rose:There's a whole host of things that we do, but I'm going to focus on the stuff for the small businesses. And our DIB defense team, we have quite a large team that focuses on ways to help understand all the unique insights that we're producing and figuring out ways how we can better protect the DIB.

[00:04:58] Rose:We quickly realized that through partnerships with our industry partners and our DIB service providers that the small, medium sized businesses were left out of that picture. So the team has created technical solutions. These, we have four, we have three or four of them now. We just added a new one.

[00:05:18] Rose:Basically what they do is they, through competitive contract awarding, they will find a service provider for some of these. And then these are no cost to the actual small business. Once they, if they meet our eligibility and the requirements to enroll in these services, and then they're on their way. Well, you know, no cost cybersecurity services.

[00:05:38] Max: Yeah, no, we'll dive into the, that's pretty cool. So the way I understand it is that it's not just cyber services provided by NSA. You're actually vetting out providers and then. Instead of the small business paying the bill, you guys are paying the bill. 

[00:05:54] Rose:Yes. We have partnered with DOD CIO in order to provide these services.

They are the funders, if you will. Okay. 

[00:06:01] Max: Okay. 

[00:06:01] Rose:So we, how NSA compliments that is we use our unique insights to do a more of a threat defense informed. Providers as well. So we share our insights to help make it the best defense mechanism for a small business. 

[00:06:16] Max: Nice. Nice. Okay. Okay. So now let's talk about the services, right?

[00:06:20] Max: So small businesses, if they, if they're like strapped for cash, which a lot of them are, right. They're like, they're taking this as a new requirement, even though it's been in the rules for quite some time, they got to get audited through somebody like us, which can be quite difficult. You guys are providing some free services.

[00:06:36] Max: What are some of these services? That they can take advantage of. 

[00:06:45] Rose:Absolutely, so in order to qualify for these services, they have to have an active DOD contract. They have an active DOD contract, they're a qualifier for that. The aim for these services is to create things that are low barrier for the small businesses.

Some could be considered a set it and forget it type service. We are very enriched with our insights and some analysis. So the four services we offer today is our threat intelligence collaboration. This is where NSA will provide a partner with non public DIB specific threat intelligence. And then create an opportunity for those partners to engage on the materials that we share.

[00:07:18] Max: Got it. Got it. Okay. So Rose, you know, cause a lot of the small businesses, they're not primes, right? They're just sub. So, are they able to participate if they're just a sub, sub, sub contractor, not a direct contractor? 

[00:07:30] Rose:Correct, they can participate if they're a sub. 

[00:07:33] Max: Okay, okay. Alright, so that's eligibility, and then after that, you've listed out different products and services.

[00:07:40] Max: And a lot of these things, they tie into different CMMC controls. One of them that comes to mind is just continuous monitoring, right? Somebody's actually monitoring. Looking at threat intelligence and that sort of thing. 

[00:07:51] Rose:Correct. Our second service is quite interesting. It's an attack surface management.

This is where we help a small business identify all of their publicly facing assets. We take an adversary approach to understanding that public facing assets and then we help them kind of assess how a adversary would go after that and we help them give them a very high level executive overview of what's the prioritization if they needed to close those gaps and seams and we give them guidance and mitigation guidance for them to do that.

[00:08:27] Rose:So that's very much a, you know, us taking a look at their perimeter, giving them insights, giving them guidance, and, you know, up to them for them to kind of help figure out how they're going to mitigate that. To help mitigate some of those things, we do offer a protective DNS. This helps block users from connecting to malicious or suspicious domains.

So, and that is a service that is provided by a vendor, so it is provided. By Akamai, what we do is we provide on a weekly basis through our intelligence and our insights that our mission is performing. We give them kind of the, you know, updated block list from our intelligence. Plus of course, what that service provider is, is able to do for themselves as well.

[00:09:12] Max: I can't believe this is all free. Like seriously, Rose, I had no idea. I mean, Akamai is a very well known company in the space and most small businesses can't really even afford that. So for you guys to do this, that's just, that's pretty amazing. 

[00:09:28] Rose:Yeah. That's been some of the feedback we've gotten from small businesses is just how helpful the services are.

Like Protective DNS is a set it and forget it type of thing where they're able to get the added benefit of the protection from both the government insights and then industry insights as well. 

[00:09:45] Max: Okay. Awesome. Awesome. So you listed out two services. Was there like a third one and the fourth one you said that was just emerging?

[00:09:52] Rose:So those were three. I did the red intelligence collaboration. We consider that our attack service management, our protective DNS, and our newest service is a continuous autonomous pen testing. This is an AI driven service that is being provided. It mimics actions of hackers to help find and fix vulnerabilities in their internal networks of a company's networks.

[00:10:17] Max: Okay. Wow. Okay. And when is that launching? Is that? 

[00:10:21] Rose:It's been launched. We piloted at the middle to the end of last year. And through the pilot, we took current partners and had them help you know, go through the testing of that. And then it got competitively awarded and now it's, it's open for business.

Now 

[00:10:37] Max: it's open. Okay. Wow. All right. So the other question we often get, Rose, is, okay, if I sign up for these services, Does it replace the entire, you know, CMMC burden that they have to do? Cause again, we're, we're talking to a lot of businesses that are new to the government for this type of rule. Have you seen that question and what are your thoughts on that?

[00:10:58] Rose:Great question. And typically when we talk about how we tie into CMMC and partnering with the DOD to provide these services, we try to provide technical solutions that we know. are the most common way small businesses are being attacked by cyber actors. And then at the same time we've identified all these services, we've mapped them to this particular CMMC support and NIST controls.

So although these four services won't check off all of a company's CMMC checklist, it's going to help them satisfy at least What I'm looking at is four, five, five MBOs. 

[00:11:40] Max: Okay. I think I heard chatter online that were like, if we could just make the rules simpler and just focus on protection, you know, we meet the intent and then you got all this paperwork and checklist of things that may not be producing any value for a small business, but it sounds like you guys are really focused on.

[00:11:58] Max: Protecting the small business. Like what are the things that are actually going to harm them? 

[00:12:01] Rose:Exactly. That's exactly our charter at the NSA's and our cybersecurity directorate's mission is to help protect the div. And, you know, besides partnering with all the service providers and all the major DOD partners, this is the way to get from kind of that bottom up approach and protection.

[00:12:19] Max: Yeah. And I think a lot of businesses, if they're going to invest, that's the first thing they care for. They don't care for the paperwork. I mean, they got to have it. That's our world, right? As part of being in the defense industrial base and me being a prior Air Force guy, like we have to have that, but most businesses just want to pay for actual protection and whatnot.

[00:12:38] Max: So the other element of this is, okay, I've implemented some of these services, I've met other controls. Then you got to get the audit done, right? Which is where we are right now with a lot of companies. So full disclosure, I think everybody knows this. We're an audit shop. We've been helping with the implementation and all that kind of stuff.

[00:12:56] Max: But is there a play where NSA helps with the audit fees and things like that? Is that part of the scope of this offsetting the cost? Or is that, is that not, could you speak to that a little bit? 

[00:13:07] Rose:Unfortunately, that is not a place that NSA contributes in terms of supporting audits and audit processes, or even training.

In this domain, our main focus has always been, how do we get information to our partners? How do we operationalize our intelligence with those industry partners? That's going to actually have an impact to them. And then also with these technical solutions coming out, you know, the, this is relatively new.

[00:13:35] Rose:So we've only been doing this for, I think a little over two years. In terms of providing no cost services to small, medium sized businesses in the DOD supply chain. Cause we really realized that when you looked at the big scope and how vast the defense industrial base, you're talking about over 300, 000 companies in the supply chain, 80 percent of those are considered small to medium sized businesses.

So knowing that though, there was a huge gap in protection that that's always been our focus. 

[00:14:06] Max: Rose, I always get this question from small businesses, like, you know, Hey, I don't want government looking over my shoulders. Right? Like, and it's true, right? Like they're like, you're like, you don't want to look over their shoulders either.

[00:14:20] Max: So yeah, a lot of businesses say, you know, I don't, I don't want NSA in my house and things like that. When you guys collect this data, this information. I guess, what do you do with it? What's the intent and purpose of this information? That's number one. And then, and then also does the business have to sign away anything, right?

[00:14:37] Max: Like, are they signing any agreements with you guys? What kind of things are they giving you access to in order for you guys to provide this sort of service? 

[00:14:45] Rose:So all of our partnerships are underpinned by an agreement of some sort, whether it's an NDA to help protect our partnerships, or whether it's an agreement based upon what services we are providing.

So we do have a agreement that's depending on the services that a company selects, they can choose one or all. They would then have the appropriate paperwork. What we, first of all, I'll clarify that NSA is not a compliance or regulatory agency in this space. So we are simply providing an end to a means of getting left of a cyber attack.

[00:15:22] Rose:provide the technical solution and the insights to help prevent that. We don't collect data from any of these accesses. A lot of the information we do is threat informed, so we share our insights to help do that better protection. So we're not on anyone's networks. If you notice the third party vendors for Akamai and the Continuous Autonomous Pen Testing is provided by a vendor.

We're not doing any, you know, we're not touching a network other than getting them connected to the service. And then we reap the benefits of readouts to help enhance and enrich it with our insights. And then we share the best mitigation guidance we possibly can from our perspective. And the whole aim of that is, if a device is compromised, then we're able to help recognize what partners may be using that device so then we can inform.

[00:16:15] Max: That makes sense. So, so really that's where I think you mentioned a public private partnership where really somebody else other than NSA actually has the data and you're just getting a summary, a readout, so others can have kind of a similar warning system, right, of like, hey, this is an early detection warning system almost for the D.

[00:16:31] Max: I. B. if something catastrophic was something to happen. 

[00:16:35] Rose:Yep. Based on all the agreements and, and, you know, the sharing kind of guard rails we have we, you know, our goal is to maximize that sharing as much as possible to you know, again, if the, if one portion of the div is being had by a state nation state actor, you know, we want to make sure all of our partners can reap the benefits of that knowledge and we want to share as broadly as we can.

[00:16:57] Max: That makes sense. So, you know, there's, there's also confusion about incident responses and things like that. There's the, something called the deb net, which is a incident response portal. So if somebody was to go sign up for you guys and they signed one of the agreements of the four services that you offer, if there's an incident.

[00:17:16] Max: Of course, we encourage them to follow their actual incident plan. Where does NSA play into that? Given that you guys are getting readouts and collection of this kind of information. How should a business think about that? 

[00:17:28] Rose:We are not in the incident response process from a compliance or regulatory standpoints.

Think of us as. Hey, if you see something on your networks and you have a question and, and you think our analysts can help answer that question, we can help do some analysis and we will, you know, it's, it's more of that information sharing and thread exchange information so we can enhance that picture.

[00:17:53] Max: So there are like analysts available to the small businesses, you know, if they see something that isn't supposed to happen and that sort of thing. 

[00:18:01] Rose:Absolutely. Whether it's through the Threat Intelligence Collaboration, where they can engage on information that we're sharing to them, or if it's related to readouts of their reports for any of these services, and they want to have access to NSA, they can ask questions about the threat information that they're getting.

[00:18:20] Max: Wow. Calling up the NSA for some help. That's That, that better be a serious call is all I'm saying, right? So, 

[00:18:28] Rose:Yes. And it's amazing that small businesses have access to us collaborate on the thread Intel. So yeah, it's, it's great. 

[00:18:36] Max: Awesome. Awesome. Well, Rose, I wanted to thank you for your time. I know this is a very short podcast, so I really appreciate it.

[00:18:42] Max: It's really difficult. Like when we go to events, we talk to a lot of people from the agency and it's like, you're not a real person. You know, you, I don't even know your name. Right. So I really appreciate you reaching out, reaching to the community. But before we end this, what are some of the things that are coming up?

[00:18:59] Max: Like what can businesses look forward to and any, anything else that you want to share for some of these small businesses that are going to be going through this whole CMMC journey? 

[00:19:09] Rose:Absolutely. I would say things that are coming up are, you know, we'll continue to iterate on, you know, these particular services and hopefully we'll, you know, we're always looking at emerging threats.

So, and, you know, hopefully we'll come up with new services in the future. Based on that insight, we tend to try to do as much community outreach. If you will, we go to a lot of the industry conferences, we work with our government partners, we work in all the small business communities. So, aside from our headquarters up at the Cybersecurity Collaboration Center being in Maryland, there are representatives in Texas, Georgia, Hawaii, and we all, you know, are trying to find ways to reach the various levels of the community through, through our outreach.

[00:19:55] Rose:But our information is available at nsa.gov/ccc The easiest way to enroll is just to go to the website and halfway down that page, you'll see DIB Services. And there is a get started button. If you think you qualify for services, do a request. And one of our teammates from our onboarding team will set up a call.

They'll review all the services with you. They'll collect some information from you about your, you know, your DoD contracts, see if you're eligible. And that's really all it takes to get started in any of these services. The shortest amount of time I've seen a call take to turning in paperwork was under 30 minutes.

And then the company enrolled in services the very next day, you know? So it's just a matter of getting information out. So I really appreciate you hosting us and helping us share this great insights to your forum. 

[00:20:48] Max: Well thank you so much Rose. And there you have it folks. So reach out to Rose. We'll put all the links not directly to Rose 'cause she'll be overwhelmed, but to the site that she directed.

[00:20:58] Max: So we'll put all those links out. But Rose, I just, again, I wanted to thank you for coming on. I think a lot of people will appreciate this and you're absolutely right. We need to get the word out. So I just thank you for your time today. for tuning in. If you enjoyed the podcast, head over to ignyteplatform.com/reckless. You'll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review.