CMMC Timeline Update: DoD Submits CMMC Program to Office of Management and Budget for Review
On July 24th, the Department of Defense submitted the Cybersecurity Model Maturity Certification (CMMC) Program to the Office of Management and Budget (OMB) for review. So, what exactly does this mean for Defense contractors and when would a CMMC certification requirement start to show up in contracts solicitations?
On July 24th, the Department of Defense submitted the Cybersecurity Model Maturity Certification (CMMC) Program to the Office of Management and Budget (OMB) for review.
So, what exactly does this mean for Defense contractors?
To start, the OMB approval process is a key step in the development of new federal regulations. Within the OMB, the Office of Information and Regulatory Affairs (OIRA) is the organization that reviews all significant regulations and oversees the implementation of government-wide policies in the areas of information policy, privacy, and statistical policy.
The regulatory approval process begins when an agency (in this case the DoD) submits a proposed regulation to OIRA. OIRA then reviews the regulation to determine whether it meets the following criteria:
The regulation is consistent with the President's policies and priorities.
The regulation meets certain administrative requirements and is carefully considered from a cost-benefit analysis.
The regulation has been adequately coordinated with other agencies and is not inconsistent, incompatible, or duplicative of existing policies.
Per Executive Order 12866, OIRA has 90 days to review a proposed regulation, with the ability to extend the review period for an additional 30 days. If the regulation is approved, it is then published in the Federal Register. The public then has an opportunity to comment on the regulation for a period of 60 days. After the comment period closes, the agency may make changes to the regulation in response to the comments. The final regulation is then published in the Federal Register.
OIRA may also return a proposed regulation to an agency for further consideration if it is not consistent with the President's priorities or if it does not meet certain administrative requirements.
Bottom line, this is a significant step in the journey towards a final CMMC rule being incorporated into DoD contracts. If OIRA takes the full allotted time to deliberate we could expect to see it open for public comment between October and November of 2023. Once all public comments have been addressed a final rule could in theory be expected as soon as early 2024.
This begs the question of when, then, would a CMMC certification requirement start to show up in contracts solicitations? That would ultimately be up to the DoD, but current industry thinking is later in 2024. The speed of roll out will also be worth watching, as there are less than 50 authorized C3PAOs at this time who can provide certifications, and it would be in the DoD’s best interest to take a measured approach and not create a “supply problem” given that they will ultimately foot the bill for the cost of these certifications. That said, the very existence of CMMC indicates the priority that cybersecurity is for the DoD and the Federal government in general (see recent Department of Homeland Security final rule to protect CUI), regardless of cost.
For now, this is another step towards third party independent assessments of Defense contractor’s cybersecurity and compliance with their FAR and DFARS contractual obligations. In the meantime, we continue in the present, where Joint Surveillance CMMC assessments are occurring weekly as part of the CMMC Pilot Program and companies are required to self-attest to their compliance by reporting their scores to the Supplier Performance Readiness System (SPRS) prior to being awarded a contract as part of DFARS 252.204-7019. Accurate reporting of information to SPRS is key given recent events where the DOJ has pursued contractors under the False Claims Act (FCA).
CMMC in the Age of COVID-19
Last year, the Department of Defense began structuring the Cybersecurity Maturity Model Certification program. The CMMC program does a number of things right.
· It draws from state-of-the-art standards promulgated by the National Institute of Standards and Technology (NIST), DoD itself, and the international security community.
· It requires third-party assessments in lieu of self-certification, which closes a potential loophole in current cybersecurity requirements.
· It includes the entire DoD industrial base – approximately 300,000 contractors and subcontractors.
· It recognizes that one size does not fit all – different levels of security are necessary, depending on the costs and benefits and specific contracts and sensitivity of the data that will be involved.
· It incorporates systems thinking that includes training of third-party assessors and an extended rollout of contracts to which CMMC will apply.
But any program that is as comprehensive as CMMC presents questions that can only be answered over time. So, in the spirit of the Jewish Seder, in which the youngest child recites the “Four Questions,” we identify four questions about CMMC. But unlike the child’s questions, which are answered during the Seder, the answers to these CMMC questions may not be known for months or even years.
Question 1 – Will speed impair effectiveness? In Top Gun, Tom Cruise famously “feels the need for speed.” But speed can kill. DoD’s timetable is ambitious. The program projects the establishment of certified third-party assessment organizations and the training, testing and licensing of 10,000 assessors, who will ultimately be assessing (and no doubt periodically reassessing) 300,000 companies. DoD plans to release Requests for Proposals that include CMMC requirements in November. Even in the best of times DoD’s timetable might be overly difficult to achieve. In the age of the coronavirus the difficult may have become impossible. Yet the cybersecurity threats that CMMC will address will not be slowed by the virus. How will DoD reconcile the “need for speed” with the need for effectiveness? In Louise Penny’s mystery series, Chief Inspector Gamache is known to caution, “Take your time. I’d rather have a thoughtful answer than a fast one.” Is that good advice for the CMMC team? Or is the perfect the enemy of the good?
Question 2 – Will the level of detail included in the CMMC capabilities, processes, and practices lend itself to box-checking rather than a more holistic evaluation? Professor Tribe has pointed out that in trials and other forms of decision-making, “hard variables tend to swamp the soft.”[1] Can DoD steer clear of the “tyranny” of the hard variable? There can be a temptation to conduct an assessment in an algorithmic way, looking at the trees but sometimes missing the forest. The lure of this temptation is likely to be proportional to the level of detail and number of items that must be reviewed in an assessment. And that lure will grow – even exponentially – when an assessment must be applied to 300,000 companies. Effective cybersecurity protection will be enhanced if auditors can go beyond he boxes and provide a holistic, even if somewhat subjective, review.
Question 3 – Is the novel coronavirus itself a threat that should be incorporated into the CMMC program? Security experts will tell you that the greatest security weakness in a system is not its hardware or even its software, but its liveware. People – often for all the wrong reasons – are the most vulnerable part of the system. How much more will this be true if the people whose experience and expertise is most needed to protect a system are themselves subject to a highly contagious disease that to date has no effective cure or vaccine? The best system in the world – security or otherwise – will be next to useless if the critical “liveware” needed to manage and operate it are absent, or have to telework from remote locations that lack effective cybersecurity protection. Should this risk be explicitly incorporated into CMMC?
Question 4 – Will CMMC become a ceiling rather than a floor? CMMC is a huge undertaking, but it is not the only game in town. Will CMMC “suck the oxygen out of the cybersecurity space” and become the de facto cybersecurity standard, leaving no room for other NIST, civilian agency, or other initiatives? And is that, in turn, a good thing or a bad thing – will it streamline our protections, or will it limit them?
So there we have our Four Questions for the CMMC program. As Nobel laureate physicist Neils Bohr (and later Yogi Berra) famously said, “prediction is difficult, especially about the future.”
DISCLAIMER: This blog expresses the views of the author and is not intended to represent the views of the Steptoe law firm or any of its clients.
————
Fred Geldon advises clients in connection with government contracts and compliance matters.
Prior to joining Steptoe, Fred was counsel for EDS US Government Solutions, the business unit of Electronic Data Systems Corporation (subsequently HP Enterprise Services) that performs contracts with agencies of the US government. In this role, he handled and supervised legal matters involving EDS’ federal government customers. Fred regularly represented, counseled, and trained EDS contract administrators and business units concerning all aspects of government contracts including bid preparation, bid protests, contract and subcontract negotiation, contract and regulatory interpretation, claims, terminations, compliance, organizational conflicts of interest, and disputes.
Prior to joining EDS, Fred was a partner in private practice, where he focused on government contracts, energy and commercial litigation. From 1983-1985, he served as Assistant Director of the Environmental and Occupational Disease Litigation section of the Torts Branch, Civil Division of the Department of Justice, where he supported the management of the nationwide asbestos litigation involving the United States. Fred began his legal career in 1973 as a law clerk to the Honorable William B. Bryant, Judge of the United States District Court for the District of Columbia.
Fred is currently an Adjunct Professor of Computer Science at George Mason University, and conducts frequent training sessions for the Public Contracting Institute in Compliance, Organizational Conflicts of Interest, Fundamentals of Government Contracting, the Federal Acquisition Regulation, and a variety of other government contracts topics. Fred has lectured and participated in government contracts programs at the George Washington University National Law Center (Government Contracts Program), ESI International, the American Bar Association, the District of Columbia Bar, the National Contract Management Association, the American Corporate Counsel Association, Federal Systems Summit, GSA Trail Boss Program, Centre Consulting, Federal Publications, and Grant Thornton Government Contractor Roundtable. Fred also sings with the Fairfax Jubil-Aires barbershop chorus and Men In Stripes barbershop quartet.
[1] L. Tribe, “Trial by Mathematics,” 84 Harvard Law Review 1329, 1366 (1971)
Qualifying CMMC Auditors in the Age of COVID-19
As much of the World grinds to a halt with the spread of COVID-19, the Department of Defense (DoD) and the CMMC Accreditation Body (CMMC AB) are charging forward with implementing the CMMC.
As much of the World grinds to a halt with the spread of COVID-19, the Department of Defense (DoD) and the CMMC Accreditation Body (CMMC AB) are charging forward with implementing the CMMC. The CMMC AB is charged with several large tasks to make the CMMC a success, which include certifying CMMC auditors and C3PAOs (the companies who employ the CMMC auditors). Both the CMMC auditors and the C3PAOs must meet a set of requirements being established by the CMMC AB in order to perform the network assessments/audits that will be recognized by the DoD as meeting the new CMMC requirement. The DoD intends to include the CMMC requirements in 10 new requests for proposals (RFPs) in fall 2020. The DoD estimates that 1,000 companies will be impacted by the CMMC requirement in the initial 10 RFPs. The current timeline of the CMMC implementation will require all 1,000 companies to receive their CMMC certification by time of contract award, which could be as late as June 2021 (let us assume June 1st for now).
The CMMC AB intends to qualify CMMC auditors via in-person CMMC auditor training. The auditor training will be conducted by trainers who are trained by the CMMC AB. Only auditors who attend the approved CMMC auditor training will be considered qualified to conduct the CMMC audits recognized by the DoD. The CMMC AB plans to launch initial train-the-trainer training in April 2020. It is unclear how long the training for auditor trainers will last, and what the throughput will be, but let’s say that CMMC AB approved auditor training for auditors had planned to begin in earnest in June 2020. With COVID-19 making in-person training impossible for the foreseeable future (as evidenced by many state school systems canceling in-person classes until the 20-21 school year), it is unclear if training for trainers will kick off in April as planned.
For simplicity, let’s also assume that each audit takes on average two weeks and requires two auditors to complete, realizing that CMMC Level 5 audits will require more time and manpower than a CMMC Level 1 audit. In order to prevent a bottleneck in the DoD supply chain on June 1, 2021, more than 60 auditors need to be certified by the CMMC AB each month starting in June 2020. It is difficult to see how the current method of training-the-trainer and conducting certified CMMC auditor training will meet this initial demand, let alone see how it will scale to meet the exponentially growing demand over the next five years. In addition to in-person training not being easily scalable (especially given that the current CDC guidance suggests no gathering larger than 10 people), the flaws in this method is even more apparent in this new COVID-19 reality of telework and widespread government mandated lockdowns. It is hard to know exactly when training could commence.
Instead of continuing with the model for training trainers, providing training to auditors, and waiting out a world-wide pandemic, the CMMC AB should spend its limited time and manpower developing a CMMC auditor certification. According to the American National Standards Institute (ANSI) National Accreditation Board (ANAB) “a certification reflects attainment of established criteria for proficiency or competency in a profession or occupation and is granted upon an assessment of an individual’s knowledge, skills, and abilities. Certification is valid for a specific time period. A certification program has ongoing requirements for maintaining proficiency or competency and can be revoked if ongoing requirements are not met.” Creating a CMMC auditor certification is a scalable model for qualifying auditors around the globe in a short amount of time.
ANSI does not allow an organization that owns a certification to also conduct training for that certification. This practice prevents organizations from simply training personnel to pass a test. It allows only third parties without knowledge of the examination criteria to provide training on the knowledge, skills, and abilities that are tested for in the certification exam. Establishing the CMMC auditor certification frees the CMMC AB from having to conduct CMMC auditor training. Instead, the CMMC AB could partner with established training companies to enable them to provide official CMMC auditor training in a much more scalable manner. Companies that specialize in training can rapidly develop and deploy CMMC auditor training through established training pipelines, including through online and virtual formats that are nearly impervious to the COVID-19 limitations.
The Department of Defense has been using ANSI approved certifications to set baseline qualification standards since 2005 when DoD CIO published DoD 8570.01-Manual. 8570.01-Manual established a list of baseline certifications for the DoD Cybersecurity Workforce. Personnel performing cybersecurity functions must obtain one of the certifications listed for their position category or specialty and level in order to be considered qualified for their position. In the same way that having an approved 8570.01-Manual certification does not guarantee that an employee is fully qualified, having a CMMC auditor certification would be a good baseline qualification standard but does not guarantee a fully qualified CMMC auditor. Cybersecurity auditors have existed for at least 10 years, so the concept for creating CMMC auditors is not entirely novel. The CMMC AB could put in place a robust set of experiential requirements for CMMC auditors, to add to the CMMC auditor certification, to ensure they have the most qualified CMMC auditors possible.
The new reality created by COVID-19 has caused even the oldest institutions to reconsider how they currently conduct business, and the CMMC AB should similarly adjust. There is still time to make these changes, and the CMMC AB should strongly consider this alternate path to qualifying auditors. Creating a CMMC Auditor certification will create a larger auditor workforce in a shorter amount of time, and has the ability to ensure a more highly qualified auditor workforce than CMMC AB auditor training alone can provide.
—————
Leslie Weinstein is an Army veteran and management consultant with 14 years of experience in intelligence and cyber operations, and strategy and policy consulting with eight years of experience in a joint environment, and three years of experience at the OSD level. Five years of active duty, complementing eight years as a federal civilian and consultant provides her a diverse and unique skill set that she has successfully leveraged to solve some of the most complex issues facing the Department of Defense.
A key aspect of the new CMMC is how it alters DFARS 252.204-7012 requirements
Even though the new Cybersecurity Maturity Model Certification (CMMC) meant to only add a verification component to the security requirements in DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) there is one area where it is changing the clause; sub-contractors.
Even though the new Cybersecurity Maturity Model Certification (CMMC) meant to only add a verification component to the security requirements in DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) there is one area where it is changing the clause; sub-contractors.
Currently vendors doing work for the DoD need comply with subsection *(m) of DFARS 252.204-7012 which states “Contractor shall include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties”.
The language in the first drafts and presentations of CMMC imply that the standard for flowing down the requirement for being certified to at least level 1 will no longer be dependent on whether the sub-contractor is handling covered defense information. Instead all companies conducting business with the DoD will be required to be certified, including sub-contractors. Under the new CCMC language, which is scheduled to be inserted into RFPs starting next year, the required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts. The result would be the government would bear some if not all the cost to get everyone certified.
With the cost being subsidized the big question will be can small businesses who are sub-contractors on DoD contracts obtain a level 1 certification? Fortunately, the current description of level 1 requirements seems to be a low threshold which can be reached by following rudimentary cybersecurity best practices.
As always, the details are what will be important when CMMC is finally launched but as of now one of the biggest impacts will be the inclusion of a significant number of companies who had previously been exempted from DFARS 252.204-7012.
*(m) Subcontracts. The Contractor shall—
(1) Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties. The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause, and, if necessary, consult with the Contracting Officer; and
(2) Require subcontractors to—
(i) Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800-171 security requirement to the Contracting Officer, in accordance with paragraph (b)(2)(ii)(B) of this clause; and
(ii) Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD as required in paragraph (c) of this clause.
—————
Andre (Andy) Barrera is an Information Systems Security Manager (ISSM) at the RAND Corporation. Prior to that, he worked as a Lead Associate at Booz Allen Hamilton in their government cybersecurity practice serving Los Angeles Air Force Base. Andy also served in the United States Air Force and has more than 20 years of cybersecurity experience spanning the public and private arenas.
CMMC – The Cyber Compliance Standard We’ve Been Waiting For?
Is the DoD’s new Cybersecurity Maturity Model Certification (CMMC) the future, or just another compliance initiative in the long line of competing cyber standards across a fragmented landscape. One thing is certain, this is a different approach.
Is the Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification (CMMC) the future, or just another compliance initiative in the long line of competing cyber standards across a fragmented landscape.
One thing is certain, this is a different approach. To date, the government has been mostly disjointed when it comes to cyber. Regulators have focused on privacy, mostly at the state level, and post-breach notification. 50 states have a data breach law, all different, all that rely on individual businesses to take on the burden proactively to secure themselves against a risk they don’t understand and is costly to address. There is HIPAA, GLBA, GDPR, CCPA, and more. Effectiveness of the different compliance regulations is a legitimate question, especially when compared to the burden they bring for businesses.
The disjointedness has led most business, especially the small, to simply ignore toothless regulations, and roll the dice on a data breach knowing they likely won’t even learn of one even if it does happen, let alone be required to notify anyone. Business owners intuitively know this is important, but lack of clear regulations, enforcement and affordability has resulted in little progress addressing the issue.
It is precisely under these circumstances where the Federal Government should step in, establish a winning compliance standard that incorporates but supersedes all others, removing the overwhelming burden from business and addressing the overly fragmented regulatory environment.
This brings us back to the federal government and its contractors. NIST 800-53 is a beast, with an entire consulting industry built on it, and has successfully become an effective standard in the acquisition of government systems. How effective it’s been in securing government contractors is unclear. NIST 800-171 is less burdensome, focused mostly on confidentiality (as opposed to availability and integrity), and was developed with small businesses in mind. The problem with either framework has been adoption by private businesses, which is directly tied to the ability of the government to enforce. Adoption has mostly been voluntary, and/or unenforceable. That is not the case with CMMC, it comes with a stick and a plan to use it. Make no mistake, CMMC has teeth.
Then there’s FedRAMP. Brought about to address the movement to cloud computing, FedRAMP enables commercial companies with cloud products or services wanting to do business with the federal government to get their infrastructure, application or system certified once, so it can be sold and used again and again by multiple government clients. This one to many approach is a departure from NIST 800-53 and RMF but is possible due to the scalability and centralized control inherent in the cloud.
CMMC is the natural evolution of NIST’s comprehensiveness and FedRAMP’s marketplace and impact level approach. Will it meet its ambitious goal of becoming the one standard to encompass them all? The answer depends on 3 big questions:
What will happen to small business government contractors?
Rest assured, the large and mid-sized DoD contractors will both absorb CMMC and capitalize on the market opportunity in stride. In one sense, CMMC is creating an industry overnight. Businesses of all sizes (including the ultra-small) can get certified and become third party (independent) assessing organizations (3PAO). That said, who will they assess. Average ongoing cost of CMMC compliance is estimated to be $3,000 per employee per year with an initial one-time implementation cost of $500 - $1,000 per employee. As with any regulation that reduces the bottom line, there is at least some risk that small business will consolidate into larger business and/or exit the industry all together.
With PCI-DSS (a comparable solution in the sense that it had teeth and the enforcing body had power over the regulated), many businesses exited the business of payment processing, instead outsourcing to accredited solutions and therefore eliminating their compliance burden. An additional cost, yes, but one offset at least partially by the automation brought by third party solutions.
Will this be the same for CMMC? Maybe. There is talk of pre-certifying SAAS solutions (see one to many approach above) and/or reciprocity with other compliance regulations such as FedRAMP, but there is one key difference: scope. PCI regulated the function of accepting credit card payments. CMMC is anticipated to be much more comprehensive, regulating how businesses process information and use technology. This is the core of what most businesses do, and compliance will not be as simple as outsourcing one function of their business. There has been talk of an allowance to ease the burden on small businesses and, at the end of the day, if enough advanced notice is given the cost of compliance can be baked into any proposal submitted to the DoD. This ultimately leaves the government holding the bill, which begs the question of what will be sacrificed to pay for CMMC?
Will CMMC go beyond the DoD (i.e. is this the federal standard we’ve been waiting for)?
There are few more powerful customers in the world than the United States Department of Defense, and while we must start somewhere, will CMMC catch on beyond its initial implementation. It’s logical to think that if proven successful, other federal departments will adopt what the DoD started. Then what? State governments? Local governments? While they don’t have the same buying power as the federal government, they do have legislative power. If CMMC does filter down to states and municipalities, where will the money come from? If budget increases or cuts from other programs are not feasible, then we must circle back to the above question and ask if this will just lead to exits and consolidations among small businesses, essentially eliminating the small business ecosystem this country prides itself on.
Many excited service providers like to throw around the idea that this will become THE standard for all businesses in the United States, which would be great for cybersecurity, but again may not be so great for the smallest businesses. Furthermore, it’s easy to make the argument that the DoD supply chain is a target of interest for nation state cyber actors around the world. Can the same case be made for state contractors? What about the average small business who is more of a target of opportunity than a target of interest? Then there are the alarming stats:
Small and Mid-sized business (SMB) represent 99% of all U.S. businesses and employ more than 60% of Americans
More than half of SMB data breach victims are out of business within 6 months of being attacked
As we know, most small businesses lack the resources and expertise to protect themselves and as discussed above, the disjointedness of the regulatory approach to date has led most small business to simply ignore toothless regulations. Add that all up and it’s not too far of a stretch to imagine the scary scenario a well-crafted piece of malware wiping about a good portion of the American economy.
This brings us back to the question at hand: can CMMC, or any compliance regulation for that matter, be rolled out beyond government contracting and effectively address cybersecurity without resulting in too great of a burden for the small business community that makes up the fabric of our economy?
Eventually, the disjointedness of regulatory compliance around cyber is likely to stop, and one framework/model will win out. It stands to reason there is a good chance it’ll come from the federal level due to the resources, legislative and buying power they hold.
How do you maintain quality of CMMC service providers?
As already discussed, anyone worth their salt in cybersecurity has posed this question at least once: how effective is compliance at actually reducing incidents and successful attacks? Take a look at Service Organization Controls (SOC) compliance, for example. It was created by accountants! Should the AICPA be the governing body of a compliance regulation? What qualifications do they have? Who were their technical advisers? The fact is that cyber, like any new industry, has often been approached as a race to market and then figure it out afterwards. The winners get financial gain and credibility, but this can be dangerous in a risk-based industry.
Furthermore, while academia and industry has begun to address the giant chasm between cybersecurity need and qualified talent, there is still an overwhelming talent gap between qualified cybersecurity engineers and open positions. It’s not a switch you can flip overnight and expect the problem to be reasonably addressed.
This begs the question: how will it work when the DoD creates a critical cyber industry overnight? There will be a race to market. Who will regulate quality? Who will staff the service providers AND the regulators? Current thinking is a non-profit will be the consortium that certifies the service providers. They better know what they are doing because a quick way to kill CMMC in its tracks will be quick to market snake oil solutions and/or unqualified 3PAOs that miscertify contractors or worse, rubber stamp them because they are paying their bills and the government has no quality control mechanisms in place. All of this would effectively make the standard ineffective and a giant waste of time.
These questions and more are being debated by the CMMC team as of this writing and we must give them time to do so, but we must also give them input. One way to do so is by filling out the CMMC Marketplace survey. In the end, the success of CMMC will depend on questions such as the 3 posed above and our ability to think through them now, PRIOR to the aggressive 2020 roll out target. While we won’t have all the answers, healthy debate and industry input is critical to the ultimate success of CMMC.
---------------------
Chris served six years in the U.S. Marine Corps where he was the country Chief Information Security Officer for the Republic of Georgia, a role in which he oversaw protecting USMC digital infrastructure in a highly vulnerable cyber threat environment. Upon returning to the United States, Chris left the Marine Corps to pursue a Masters in Computer Science and MBA from UCLA, and also worked for the MITRE Corporation as a cybersecurity engineer. In 2014, he founded Ariento, a cybersecurity, compliance and IT service provider. Chris is a member of numerous cyber organizations including the FBI Infraguard and the Secure The Village Leadership Council, he teaches on the topics of cybersecurity and privacy at UCLA, and is a regular speaker and contributor to the Wall Street Journal Pro - Cybersecurity.