Climbing Mount CMMC: Documenting Software Security Controls for CMMC Compliance

Introduction

Climbing Mount CMMC: Documenting Software Security Controls for CMMC Compliance

Welcome back, climbers. Today we’re joined by Kyle Lai. Kyle, thank you so much for coming back on our show. In case you all haven’t noticed, Kyle was on our season two, right, Kaleigh?

Kaleigh Floyd 00:09

Yeah, it’s been a while now.

Bobby Guerra 00:11

So thank you for joining us today, Kyle.

Kyle Lai CCA 00:13

Yeah, absolutely, really glad to be back now.

Bobby Guerra 00:16

We’re recording on Easter Good Friday, yeah. So we’re doing Good Friday, so I’m not exactly sure when the episode will be released. So thank you for even on a holiday. Apparently

Kaleigh Floyd 00:27

Because it’s a holiday, we’re together, so we’re

Bobby Guerra 00:31

on this, right? Yeah. So you may notice that, like

Kaleigh Floyd 00:27

We’re on the same we’re on, we’re on the same screen, although, audio wise, if you’re listening on Spotify, but trust us, we’re in the same room. Yeah, I’m excited.

Kyle Lai CCA 00:45

Right, I can see you both.

Bobby Guerra 00:49

So one of the reasons why we wanted to have you back on the show Kyle is to have a better idea of what you’re seeing in the ecosystem. But before we do that, I would like to ask you, I just tend, tend to want to know this, for anyone that starts a C3PAO, like, what made you, what possessed you to start your C3PAO? Because that’s a tough challenge. Doing that, because it the ecosystem is still in its infancy, and it’s very challenging for C3PAOs to navigate that be in the fact that it’s in such an infant state like, can you share about why you decided to do that?

Why Become a C3PAO? Driving Security in the DoD Supply Chain

Kyle Lai CCA 01:24

Sure. Earlier in my career, I was a third party I was doing a lot of third party security risk management assessment. So I actually built up the third party risk management program for Fidelity Investments back in the mid 2000s so I have really enjoyed doing the assessment. And the CMMC, if you think about it, is not really different from conducting the third party because these are the supply chain right, DoD supply chain risk management. And I really enjoy being able to do the assessment identify if there are some gaps, and to help companies just do better on their on their security. So I’ve been doing this since about 2006 until now, back in 2009 2010 I was at DISA as an operations manager, as a contractor. So that’s how I got into the DoD side of the business. And really feel that there is a niche that I will be able to contribute. So that’s why I got into the CMMC and decided to become a lead assessor and also C3PAO.

Bobby Guerra 02:32

Yeah. And I mean, for those people that may not know, like there was a lot of still undefined things for C3PAOs when they’re stepping into the space. How do you feel now that audits are happening? Are you starting to see more light at the end of the tunnel around those types of things?

The Evolving CMMC Landscape: Progress and Ongoing Refinements in Audits

Kyle Lai CCA 02:50

I think there are still some processes are still being refined as we go but yeah, things are getting better. At least we have the cyber AB and the DoD, we have the process, right? I mean, there are still some back end stuff that people usually don’t see, like DoD, eMASS, their DoD, they’re still refining it, so there are still some work to do, but a lot better than before.

Bobby Guerra 03:15

Well, I mean, I guess, like, part of the surprise with 32 CFR is that you had to have two CCAs involved, at least, at a minimum, you know. And that was a bit of a surprise, until the final rule that that seekers weren’t quite expecting.

Kyle Lai CCA 03:28

Actually, actually, we need to have three, because we need to have the QA, right? Yeah, QA, they don’t do the assessment. But, yeah, you need to have at least two assessors to do the assessment,

Bobby Guerra 03:41

Very challenging, lot of risk involved with C3PAOs, speaking about the risk, let’s talk about false starts. For those that may not know what that means. Basically, there’s two big phases at the very beginning of the assessment. There’s phase one, which the organization will sit down and go around scoping, and they present the evidence, and they talk through things with the with the auditor, and the C3PAO, and then phase two is when you actually start going through all of the 320 assessment objectives. But the false start, what we refer to, is they don’t get out of phase one, where they they kind of, they’re in such a state the organization getting assessed that they can’t proceed because they don’t have maybe an SSP, or their SSP is just rudimentary at best. How are you seeing Kyle, the ecosystem with audits that are happening? Are you seeing false starts where organizations are coming to you and they’re just not ready? Like are you? Can you give us a bit of a pulse about what you’re seeing there?

Navigating the Initial Stages: Understanding and Avoiding “False Starts” in CMMC Assessments

Kyle Lai CCA 04:34

Yeah, so right now, because we are still in the very early of these assessment so people that tends to start the assessment right now, they have been ready for a while. So we don’t see too many of a false start, and they they probably have been ready for a few months, right? They just us, just waiting for the time to start. So, so all the ones that we have assessed. They are they are ready. So they actually all passed, and they already got their final status. You know, once we are done with the certification assessment, the actual completion of the assessment, if there are any gaps or deficiencies, or anything that’s trending unmet the OSC they will have 10 business days to address these type of, you know, the deficiencies, providing that they are not impacting other controls, right? So one of them does, did have, did have to go through that. But otherwise, you know, they have been pretty smooth,

Bobby Guerra 05:40

You know. And I didn’t really pay attention to that 10 day period. And as we started coming in for the landing, for our audit and start, you know, I started rereading through 32 CFR because, you know, we did ours in January, and the final rule hit in December, we were like, oh, man, these 10 days. This is a big deal. This could be a huge saver for some people. That could be the difference between having to go back and see you in, you know, a few months, versus finishing their assessment and getting a certification, and that’s a lot of money on the line there, right?

The 10-Day Remediation Window: A Potential Lifeline in CMMC Audits

Kyle Lai CCA 06:12

But, but the devils and the details, the detail is that, yes, you can remediate some of these deficiencies, providing that that deficiency is not impacting other controls.

Bobby Guerra 06:25

Right, so it’s like, haven’t implemented change control. You’re like, No,

Kaleigh Floyd 06:30

You can’t fix that in 10 days.

Kyle Lai CCA 06:33

Yeah. So, so, yeah, there are some caveats.

Bobby Guerra 06:36

But I think what is really the frustrating thing about CMMC, in a lot of ways, is there’s when it was first sort of looked at the human factor. Didn’t seem to be part of the equation, that people are going to make mistakes, there’s going to be problems. And it just seemed like there was almost such a drive for perfection that was almost unfair. But when you have situations like you’ve got the 10 days now, you have, you know, some pointable items as well. There’s, there’s some elements in there that, if you fall into the human bucket, that if you have a valid system, you’ve spent the time and the due diligence are required, and you just made a mistake, like anyone could, you can, you can work your way out of it, assuming you haven’t just been negligent.

The Human Element in CMMC: Addressing Mistakes and Negligence

Kyle Lai CCA 07:19

And, yeah, and if there are some kind of, like a documentation just need to update the documentation spelling errors. Those are just minor. They were able to correct some of those efficiencies or mistakes during the assessment. That assessment usually runs one week, so they can make those changes during that week. But for something like, yeah, we’re missing, like, a change management control or something that’s bigger configuration changes. You know, configuration was mistakenly changed to something else and, yeah, that that type of, that type of deficiency, may not be able to change during that template, yeah, and they have to go to POA&M and the condition.

Bobby Guerra 08:02

Yeah, that’s a that’s a huge deal. That’s such a good point. The people that taken it very serious and spent significant amount of time trying to be ready should be able to pass.

Kyle Lai CCA 08:11

Yes, and usually it’s good to just walk through right before the actual assessment. Have your internal or hire somebody to do the mock assessment. That’s always a good way to prepare for the actual assessment.

The Importance of Preparation: Mock Assessments as a Key Strategy

Bobby Guerra 08:25

Let’s talk about a topic that I think is near and dear to your heart, and that software development because of your history and past. You know you’ve had a lot of experience in working in the software development industry. This is an area that I don’t think gets enough light shined on it, given the fact that if you have data, that software that you may have developed, or have a hand in developing touches, it could get really interesting. And so we wanted to spend a little bit extra time today to talk about that and about some of the pitfalls around it, and to try to shine a brighter light on that topic. But one of the things that I think is super scary to kind of like start the conversation, is the the echo chamber factor, that if, if and when you’re working on your journey for CMMC, many organizations, because they’re all working on, you know, their internal staff, or whatever, they’re all looking at it, they’ll miss pieces because of that. Yeah, yeah, we’re right. We’re right having that external person to kind of look at it, to catch those echo chamber problems where you kind of information bias yourself and believe that you have that. How would you recommend organizations that are trying to go through to get ready for Level Two Certification? What are some ways that you would recommend that they kind of validate themselves so they don’t get into that situation where they believe they’re ready when they’re not. Can you? Can you make some suggestions about how that they can try to protect themselves from that?

Shining a Light on Software Development in CMMC Level 2: A Critical Focus Area

Kyle Lai CCA 09:53

First of all, I think you need to make sure that, I mean, it’s just a reality that. You have IT group, and there are software group and there are software security group, they usually don’t talk to each other, right? Unless you make them, and that is the problem in these organizations. When you have it we will do the network diagram. We create a network diagram, but where’s the software security or software architecture, right where it was, the software infrastructure, it’s not there. So I think the software development or software management, software production group has to work with IT in order to come together and discuss like, hey, what do you do? And when you are coming to the documentation, you need to take that, all that into consideration. So make sure you have somebody who actually see the bigger picture, like, you know, the architect, right, the Enterprise Architect, that be able to see the entire picture and be able to pull like, hey, IT, okay. We have this on our network diagram, but we need to have the software security or software group actually draw out that that part of the infrastructure and include that into the network diagram and the scope. Because some when we talk, when we are going through the assessment, right, and what we see is that the network diagram is are missing, or when they are including people, they’re answering questions like, oh, software, we didn’t know you need to talk to the software people, right? Because it seems in we’re asking some questions about, okay, so how do you do the software development? Right? If you have API, do you have API and IT group that cannot answer those questions? So you need to have the software people come in and some of the infrastructure are now managed by it, right? Web application firewalls, for example, API Managers, web or some of the sound like Azure DevOps, if they are using the Azure environment, those are it. So, yeah, so you need to get these groups together so they will be able to talk and be able to include, especially when you are developing SSPs controls. Yeah, it they document all the controls beautifully, right? For all the controls, all the hardware and software they know, but the other side, all the support infrastructure, web application firewall, web servers, load balancers, those are in your environment, but those are not documented, so you need to work together to get those documented as a configurations and network diagrams.

Kaleigh Floyd 12:46

Is there? Is there like, is the reason that this is happening a lot, because a lot of companies are trying to separate those development teams and not successfully doing it? Or where is that kind of disconnect happening?

Addressing the Disconnect: Why IT and Development Teams Often Operate Separately

Kyle Lai CCA 13:03

Software developers, they they don’t speak, I mean, software developers, they do speak some IT, but for their own bubble, right? IT, they don’t speak software development, yeah. What language do you use? What open source? What vulnerability? Vulnerability scan. Those are all managed by the software. When you talk about software, that’s all managed by the software security software team, yeah. So that is very, very different. So unless you get them together, IT, they just assume Software Group, hey, you guys do your own thing. You know what you’re doing, so you manage your own and sometime, sometimes, the way that happens is that software development group, or Software Group, they do have privilege access to their own environment so they can do their own configuration, but they they just usually have their own separate environment. They just don’t talk to each other unless they have to.

Bobby Guerra 14:06

Yeah, I’ve noticed that a lot. And when we go sometimes to come in to start doing consulting, there’s almost like, you know, left hand, right hand through the IT department that’s kind of staring down the development department, and they’re like, all right, what do you absolutely need? And then you give them what they need, and then it’s like, now, leave me alone.

Kaleigh Floyd 14:28

I feel like it’s farther away than a left hand and right hand, because they’re like, they’re doing something over there and they’re working, but I don’t know what they’re doing.

Bobby Guerra 14:34

It’s a common thing that we hear. And so I guess to hopefully not try to put words in your mouth, but trying to make sure that you pull all the parties together so that you can high level, make sure that there are things that aren’t going to be revealed during the audit, because you have the experience to ask the right questions that they didn’t, and you don’t want that coming out in the audit. How about having a third party organization? Look at that. And if they did, what kind of cost would they be looking down the barrel of?

Seeking External Validation: The Value and Potential Cost of Third-Party Consulting

Kyle Lai CCA 15:06

yeah, I think that’s a good point, because you really do want to have somebody who is familiar with a software development or software, how software works first of all, right, because you that is actually a little bit unique. When you’re looking at the controls, we’re not just looking at there’s one control called 3.3, dot 13.2, right, right. 3.13.2, they talk about, yeah, do you have the software or system development life cycle? Yeah, that’s just one control. But when we’re looking at these controls say, Do you have the software infrastructure? Yes, we have software that’s running that we actually provide API, right? So Okay, now we’re looking at the API and your API Manager, your web application firewall, your web server load balancer everything right now. How do you actually secure these? What is the access control? Who have access? What are the authorization right? What are the IDs? And that all span across a lot of different a lot of different security requirements in the CMMC or in this 300-171 is not just that one, that one control is many controls. So we really have to plan and document, you know, when we’re looking at the API, you know, API is one of the software who have access, okay? Is that internal external? Okay, if you assign these accounts to the external users. Okay, now you’re exposing to the external users. How do you manage that? So there are a lot of controls. Now we are getting to 3.1.20, the access, the CY flow. How does that flow? So, yeah, so you need to have somebody who understands software and the CMMC in order to help you. And I mean, there are different ways of charging for these consulting firms, so I cannot really say how much it will cost, but yeah, but I think the there are definitely some good consulting consulting firms that are special.

Okay, here is the continuation of the interview transcript with SEO-appropriate headings added throughout the text:

Streamlining Consulting Efforts: The Power of Preparedness

Bobby Guerra 17:19

One things that we’ve seen that’s been helpful is, if you do a lot of the laid work, when you get a consulting organization involved, you can really reduce the cost and and present the right information so you can get a good, relevant response in a shorter period of time. Here’s what I mean by that. So what if you took your whole architecture of your development, your software, plan your architecture, you, you spent the time and mapped it all out, and you, you talk with the different parties, and that’s all something that an organization should be capable of doing, right? They should know all of that. Have that documented out. Then you pull in a consultant, to then, at that point, have relevant discussions about how your architecture works and what you’re thinking about your scoping. You know that that could then be, you know, a half a day conversation, not weeks of conversations of, where do you have here? What do you got there? Like, if you do, it’s all the legwork and you put them together. You know that can be a very effective half day to a full day money spend. And you can get a really good idea if you’ve been echo chamber and yourself into a lot of trouble.

Leveraging Software Requirements Specifications (SRS) and Software Reference Architecture

Kyle Lai CCA 18:32

Yeah, absolutely, yeah. And usually before you get the consultant in, that’s a good point. Because I also want to suggest that if you are going to get a consultant in, make sure the software development group or software production management group, they have what I call the Software Requirements Specification documentation that usually specify What is the ID requirement, access control, encryption, all these, where are the data? What the data types going to be. They have a lot of these already defined in the software requirements specification document, right SRS document, and also they usually have something like a software reference architecture that tell you basically specify out all the infrastructure, Web Server, or what other components you actually need within the software, right to support the software, to make the software run. And these are the components of be drawn out. And you know how, that’s how the CY how the data flow through the organ software. So that is very important if you have those, I think that will really help when you are going through the documentation, the actual documentation of your SSP, because they actually just go across a lot of different domains, different requirements within CMMC.

Bobby Guerra 19:58

I mean, do. It’s a lot easier for organizations once they kind of see what right looks like, at least a version of it. So they can kind of go, Okay, well, now I can work on it myself and make something similar that’s relevant to me, to do those. So that’s very helpful.

Visualizing Software Infrastructure: The Missing Piece in Network Diagrams

Kyle Lai CCA 20:16

So like it. You know what the it diagram, network diagram look like. But usually what’s missing is like, oh, one section, if you do it right, there’s one section that’s like, a software, right? Software, and then we have these specific software that’s running, or actually a development environment. If the source code is part of the CUI, you have the development and the production, and then what’s it look like? Yeah, you have the drawing of the web server. Get the repository, or the source code repository with different components all within the box. That’s what’s missing.

Defining CUI in Software Development Environments: A Key Contractual Obligation

Bobby Guerra 20:54

That makes sense. Let’s dive into that development part that you’re talking about, because you touched on that. Let’s, let’s dive deeper on it. What are some ways that people can know whether the software that they’re developing or the data that they’re using the software they’re developing? Is CUI like, how do they know how to deal with because that is just a big iceberg for people to start kind of wrapping their head. Can you provide some guidance so they can start thinking about that? I know it’s it’s a big ask to magically know all of it, but just provide some insights.

Kyle Lai CCA 21:28

Yeah, yeah. So, so if the development environment, if is it CUI or not, I think that all has to be specified by the con, by the contract. So usually the contract should specify what type of information within the contract is considered CUI. If they say source code, yeah, then development environment, because you are developing it, developing the source code, that environment will be considered as CUI. So when we’re going in to assess that will assess your development environment as well. And when we’re talking about development environments, that’s your like source code repository, like a Git or, you know, GitHub or git repository, right? And also your development your pipeline, if you are using the DevOps methodology, and usually there are like, as if you are using Azure, right? What’s your Azure DevOp look like? What’s a pipeline if you’re using others? But that’s fine. We just will look at the pipeline. How do you actually go from development to test to production? What does that pipeline look like? And how do you do the release and the deployment right of the code and the to production, who? What’s the change management process look like? Because that’s very important in these these days, right? If you are using pipeline, once you authorize in the change, then it’s automated, right? You go to the production. So it’s very important to actually get that change management documented, and we’re going to look at the change management and make sure that the pipeline is actually working as advertised and the authorization change management approval process is solid.

The Auditor’s Role: Understanding Processes and Documentation

Bobby Guerra 23:19

Now as an auditor, you’re not, correct me I’m wrong. I could be making an assumption here and be wrong. You’re not being you’re not expected to know that. You’re expecting the client, the person that you’re assessing to know that

Kyle Lai CCA 23:33

They should right we are we are looking at the documentation their process right. We are looking at their process, but their process. It just like you have to know the software to in order to know the software development process and the software cycle, in order to know that OSC is actually documenting things that’s properly, right? So, yeah, it’s important to especially when you’re selecting a C3PAO, and also somebody consultant that’s helping you make sure that, though they have the background, if you are a software development organization, there’s these people that are doing the assessment also have that background, because otherwise they’ll be asking the wrong questions.

The Challenges of Assessing Software-Focused Organizations: Ensuring the Right Expertise in the Room

Kaleigh Floyd 24:23

Speaking of that, what has been the the most challenging part about assessing kinds of, you know, organizations like this that have, like, software development side to it, which like, what has been the most challenging part of that in your eyes and your perspective?

Kyle Lai CCA 24:41

Yeah, so I think it’s a I think that these are not really frustrating, but sometimes they don’t have the right people in the in the room, and I think it’s all. So sometimes they are a little bit surprised that we are asking them about the software. Is like, software is in scope, or it’s not within our responsibilities. Like, yeah, but it doesn’t have to be your responsibility, but we still need to assess, yeah, so we need to talk to the software development group or software management group, but when they are in to talk with us, they have a lot of knowledge. But sometimes it was will also be a little bit interesting, is that you have the API. Then we they start describing the API, how the API authorized, authenticated, and sometimes one of one, in one case, that that particular API is provided to the customer, right? So they are actually assigning access to the customer. So they have a certificate that tokens to access the API. So in that case, we have to dig a little bit deeper, because now we have to make sure that outside, yeah. So those are a little bit challenging, because we don’t we you. Sometimes we just like, oh, it’s actually a lot more information than what we actually got right, right within the SSP, or within the network diagram, because it’s not there. So there are just a little bit surprises, yeah. And also, and when we get into the configuration, one of the one of the company have to take 10 days, is that when we’re looking at the configurations, like, okay, so you have API, but where is it? It’s not documented anywhere, right? So now.

Okay, here is the final portion of the interview transcript with SEO-friendly headings added throughout the text:

Addressing Documentation Gaps During an Audit

Bobby Guerra 26:48

In that situation, are you going to give them a little grace to try to pull that documentation out or find it, to provide that in the audit?

Kyle Lai CCA 26:55

They do have the controls in place. It’s just not documented, right? Yeah, so they do have the controls. Their controls is very good, but it’s not documented anywhere. So it’s like, where’s this configuration? So they provided, but when we actually did the test, yeah, it’s there, right? The configuration is good by just they’re not documented. So we have to dig a little bit deeper during the assessment, but we always wish we can do a lot more homework right before the actual assessment.

Kaleigh Floyd 27:26

No, absolutely. Yeah. I mean, you talked you talked about API keys, you talked about certain certificates and, you know, APS and things like that. What when you’re when you’re working with companies that that have, you know that incorporated is, I mean, this is coming from a very naive perspective. So I’m just trying to understand with your system security plan, are there, is there things that should have been put into there that that would help you know you and your assessment fast track that to not be like, Oh, the dev, the dev team, just came in, and then all of a sudden, there’s a bunch of new things, like, should that be mapped out somewhere inside of the system security plan to be able to understand and comprehend even beforehand?

Kyle Lai CCA 28:15

Yes,yeah, absolutely. So I would say, when we are assessing the the configurations, for example, right when we’re assessing the asset, if they are access control in place, we’re going to look at the access control for all the components or the system tools that you have there have the ID and the accident authorization. So if you are using web, web application firewall, web server, Key Vault, Git repository. We are going to look at the access control right. These are, these are going to be just another asset, okay, you have all these components. Show us your access control, identity authentication, because you still need to log into these systems to actually perform the development or the deployment, right? So we still want to, so, you know, don’t, don’t treat it as like it’s a software component. Is something special. Treat it as just like it’s another asset, right? When you are doing the assessment, when you are doing the SSP, yeah, just make sure you, if it’s applicable controls in place, then just document it.

Treating Software Development Assets Like Any Other for Access Control

Bobby Guerra 29:27

Well, I don’t want to put words in your mouth, but it sounds like what you would want to see is like, for example, when you go to AC, you’re going to want to see access control, and IM information about the software side of things.

Kyle Lai CCA 29:43

I do, yeah, I would, I would want to say, even the software you create, right, even the software you create, it will, you know, most likely there are going to be ID and passwords, if it’s not, if it’s not API, right, ID and password. Words, maybe right? And that you do, you need to have the two factor authentication. Most likely you do too. So the software that you develop in production, yeah, we were going to take a look at that too. Vulnerability Management, how do you manage the vulnerability? How do you do the vulnerability scan of your software when it’s running, right? So those are going to be things just treated like another system, another tool, another asset. So when you’re going through these, you know, these controls, yeah, just make sure you answer the questions that’s another asset. Yep, our website–

The Importance of Vulnerability Scanning in Software Development

Bobby Guerra 30:38

You’re not gonna do a background check on it, but you definitely are going to do vulnerability scans on it right?

Kyle Lai CCA 1 30:44

Vulnerability scan, yeah, and you know, you define your frequency of how often you scan, usually the software, software security, software vulnerability management, vulnerability assessment, scanning, they’re a little bit different than it, right? Because they need to do statical analysis. That’s when you’re scanning your source code, but when your code, when your production, when you’re saw, when your software is running, they’ll be scanning to see if there are any software related vulnerabilities. When the when this, when the software is running right, the cross site scripting and those types–

Collaboration Between IT and Software Teams for Vulnerability Management

Bobby Guerra 31:25

And chance are it’s going to be different people right. The IT department is going to be doing vulnerability scanning of the switches and the firewalls and the other pieces, but the vulnerability examination of the software development life cycle is probably going to be somebody, perhaps in the software side that might–

Kyle Lai CCA 1 31:43

Yeah, obviously, it’s all depends on how the organization set up right vulnerability, vulnerability scanning, just that scanning process, it may be done by it, but the results might be just sent to sent to the application.

Kaleigh Floyd 31:59

So you talked about, I love this, you so you listed, we need to have the right people in the room that has to do with including the dev team, you know, and the they need to the IT team and the dev team need to talk before this happens, to know what’s going on, have the right people in the room And then also treat the development side, you know, assets just like any other asset in your organization, and list it out in your SSP, just like you would any other asset. Are there any other things that you can think of that also have to do with this software development side when handling an assessment or, you know, an SSP, or something like that, yeah.

Managing Open Source Components and Secure Code Practices

Kyle Lai CCA 32:43

So when I mean, we’re looking, when we’re when you are developing the software, modern, modern software, they use a lot of open source, right? So open source components, open source packages, there are very few, if, if any, source called modern software development. They are using develop everything in house, because there are a lot of, you know, if you are using Python, there you get there are different open source packages that’s already been developed. And nowadays, the developers, they assemble all these open source and, you know, just write a little code, but then you have to know how to assemble these together right now, you have to make sure, now you monitor the vulnerabilities of these open source components, right so now it’s not only my vulnerabilities, it’s all the open source vulnerabilities. So those, I mean, usually they are combined into the they are combined to the source code scanner, right there. There are, so there are secure code review, you know, static code analysis, type of tools. They already included those in there. But that is something that software developers, they have to know that, yeah, there’s something that you need.

Kaleigh Floyd 34:07

wow, yeah, it’s like they all are walking on the same bridge to get there, but they’re different. There are different things and different tools that you need to make sure are good to go cross over into your world. Yeah, no, that’s huge. And is that something that goes with what you talked about before, of the software development side of like, what they have written down and what they have assessed on their side?

Kyle Lai CCA 1 34:27

Yes, yeah, this is the vulnerability. So when they’re going to the vulnerability, how do they manage the vulnerability? Vulnerability scanning, vulnerability management, how often do they scan? May not be on the source code, but on the production side. Often today, scan, yeah, so that’s, yeah. So those are important secrets. There are, I mean, there, one of the big thing is secrets. So keys, API keys or certificate or whatever, right there are secrets, obviously, hopefully, your statical analysis tool will pick up if you accidentally or really, you know, put, put your secrets into the source code. No, no. So obviously, you want to make sure that you have those type of source statical analysis be able to pick up these type of vulnerabilities, critical vulnerabilities.

Reducing Risk Through Inheritance and Secure Development Practices

Bobby Guerra 35:31

Kyle, what are some things that people could do to try to reduce their risk around the software development side? Perhaps, like, you know, we talked about how, if someone was using Power BI, that, you know, you could leverage the inheritance aspect of the fact that you’re using Power BI, which was developed by Microsoft, and you can try to, yeah, it, you know, it could be part of the package that you would want to try to inherit at least as much of the components are there some tricks and things that you would see not really tricks. I guess that’s a bad word to use, but no, by the book. Yeah, right. Yes, there is there some underhanded, shady stuff? No. I mean, like, are there some things that people could do that is to their advantage, to help limit the scope or or try to make it to where, when they’re doing software development, they’re making life easier on themselves, especially when it comes to the audit.

Okay, here is the final portion of the interview transcript with SEO-friendly headings added throughout the text:

Kyle Lai CCA 1 36:22

Yeah, so if you are talking about like a Power BI or like SharePoint, these platforms, some of them, I don’t know the detail, but you know, if they are all, all have the FedRAMP, moderate authorized, because if they are Microsoft, I know SharePoint, most likely they are already FedRAMP Moderate. I’m not sure about Power BI, but if you can confirm they’ll have a FedRAMP Moderate, and GCC, or GCC, the GCC, or GCC high the government cloud, for Microsoft, for example, then yes, you will be able to inherit a lot of controls you develop on SharePoint. There are some SharePoint applications or power Power BI scripts or something that you develop, but underlying the platform right is already FedRAMP, moderate or higher, ATO authorization to operate, so you will be able to inherit a lot of these controls. So yeah, there’s a lot of the benefit of using platforms, if it’s already

Utilizing Cloud Repositories and Single Sign-On for Enhanced Security

Bobby Guerra 37:26

And like, also if you’re using third party cloud repositories or, you know, change management. You talked about DevOps and things like that. So if you’re able to try to keep it and then even better, what if you were leveraging single sign on, perhaps to your intra so that now you’re, you’re getting all the SIEM information that you’re doing for your logging and management of it you’re able to grab. You know, you’re centralizing. I mean, there’s, there’s definitely some, some smart things that you can do,

Kyle Lai CCA 37:54

So if you are developing within Azure, AWS or Google, yeah, that environment, most likely they are all FedRAMP Moderate or FedRAMP High already. So there are a lot of a lot of controls you can inherit. So you don’t have to worry about

Bobby Guerra 38:12

But if you start grabbing all these other cloud options that’s all getting pulled in, then if you start doing those types of things.

Kyle Lai CCA 1 38:18

Yeah, you just have to worry about the tools that you use, you don’t have to further document the controls because they’re interactive.

Bobby Guerra 38:26

Yeah, interesting. Well, thank you, Kyle, for your time, sir. I really appreciate it. Is there anything else that you feel you’d like us to cover?

Leveraging KLC Consulting’s Resources for CMMC Compliance

Kyle Lai CCA 1 38:33

Yeah, so one of the questions that you mentioned that you know what kind of controls that should be, should be documented? So our website, KLCconsulting.net, you can go there and there’s a resource you can drop down to resource. There are a few the security development principles, and also there’s a spreadsheet documenting the application security related CMMC controls so you can take a look. I mean, that’s not considered consulting business, just a template. So you can still you can use that as a starting point to modify and tailor to your own. The principle, the principles and procedures, yeah. So. So, I think the big thing is that, yeah, IT and the software security people, they just have to work together.

Kaleigh Floyd 39:33

Yeah, they need to talk.

Bobby Guerra Floyd 39:34

Yeah, just talk. Hug it out!

Kyle Lai CCA 39:35

Yeah, but once they talk, you collaborate, and it will make the SSP a lot easier to document.

Bobby Guerra 39:40

That’s awesome. Kyle, how can people connect with you to know more about you? Perhaps, if they were wanting to get assessed and they, you know, maybe they have software development and they’d want to make sure that they’re using a C3PAO that understands those concepts, how can they reach out to you?

Kyle Lai CCA 39:54

Yeah, so me, personally, it’s a I’m on LinkedIn. Um. Or they can just go to our website, KLCconsulting.net, and you can contact us from there.

Bobby Guerra 40:08

Awesome. Well, thank you so much for taking time out of your day, sir. I really appreciate it. Great. Thank you so much. Well, everybody, this was just a really good one, right? Kaleigh, I mean, we, there’s so many things. You know, I’m not really a software type person, but we run into it.

Kaleigh Floyd 40:25

A lot of potential clients, a lot of clients that we have that do this. So it’s really cool to hear that perspective, for sure. Yeah.

Bobby Guerra 40:31

And I think, again, like I stated at the very beginning, this is, I think, a topic that hasn’t really had as much light shined on it, that you really do want to pay attention because these types of things you don’t want cropping up during your assessment when you’re not expecting it, you want to make sure you’re accounting for these things, that you are properly treating them like assets, and process them completely with your SSP, and you’re handle them all appropriately. Yeah. So thank you so much for sharing your wisdom. Kyle. So yeah.

Kaleigh Floyd 41:03

We hope you guys enjoyed today’s episode. Tune in next Thursday for another episode of Climbing Mount CMMC, but until then, guys keep on climbing. See Ya.

Kyle Lai CCA 41:13

Right, take care.