The Future of CMMC: Surviving the new Federal Security Landscape with Former NRMC Director Bob Kolasky

Secure Talk - Bob Kolasky

Justin Beals: Hello, everyone, and welcome to Secure Talk. I'm your host, Justin Beals. 

In today's increasingly volatile landscape, we are focusing on something that should concern everyone in our industry: national security, and how to navigate the rapid, sometimes disruptive changes being implemented by the federal government under the new administration.

The security landscape is shifting beneath our feet, and organizations unprepared for these transitions may find themselves facing serious consequences. Today's conversation features an insider who has operated at the highest levels of the United States federal government, ensuring our nation is prepared to secure critical infrastructure from elections to electricity.

We'll dive into how our country manages supply chain security, challenges the evolution of third-party risks for nation-states, and get rare insights on emerging global security threats from someone who's been in the room where it happens. We'll focus specifically on the new administration's changes for federal contractors and what this means for businesses working for the government.

At the heart of our conversation is critical questions about the future of the Cybersecurity Maturity Model Certification Program, or CMMC. Is implementation still moving forward under the new administration? What impact will recent leadership changes have on compliance requirements? And how can companies prepare for these evolving standards?

We'll also discuss how regulatory frameworks like FedRAMP are shaping the cybersecurity landscape and whether they complement or compete with CMMC. We're joined today by Bob Kolasky. He is the Senior Vice President for Critical Infrastructure at Exiger, where he focuses on developing cutting-edge risk management solutions for critical infrastructure companies and supporting government agencies in this role. Mr Kolaski leads market strategy for addressing third-party and supply chain risk in critical infrastructure. Mr. Kolaski has also served as a nonresident scholar in technology and international affairs at the Carnegie Endowment for International Peace as a senior associate for the Center of Strategic and International Studies, and as a senior fellow at Auburn University's McCrary Institute.

He is the former chair of the High-Level Risk Forum for the Organization of Economic Cooperation and Development. Mr Kolaski joined Exiger after 15 years as a senior leader in the federal government, where he was responsible for foundational work in national security risk management and election security.

He was the founding director for the Cybersecurity and Infrastructure Security Agencies National Risk Management Center at the Department of Homeland Security. As one of CISA's Assistant Directors, he oversaw efforts to build strategic, cross-sector government and industry risk management approaches to cyber and supply chain threats to critical infrastructure.

Mr. Kolaski has served in a number of other senior leadership roles for the Department of Homeland Security, including Acting Assistant Secretary and Principal Deputy Assistant Secretary for Infrastructure Protection. Earlier in his career, Bob was a management consultant, a journalist, and an entrepreneur. He graduated from Dartmouth College and from the Harvard Kennedy School of Government. 

If you're a federal contractor, part of the defense industrial base, or simply interested in understanding how government and industry are adapting to new security mandates, you won't want to miss this insightful conversation.

Thanks for joining us today.

—--

Justin Beals: Bob, thanks for joining us today on SecureTalk. We're really glad to have you. 

Robert Kolasky: Thanks for having me, Justin. I've been looking forward to this. 

Justin Beals: Excellent. I understand that today you're a senior vice president for critical infrastructure at Exiger, and I was wondering if you could tell us a little bit about your team and how you're supporting Exiger's customers.

Robert Kolasky: Sure. So, of course, I'll give you a little bit of background on Exeger itself. We are about a dozen years old technology company focusing on bringing technology and artificial intelligence and computing data to help understand supply chain risks and 3rd party risks, and vendor risks. And so, you know, we've got a couple 100 clients in the Fortune 500 and  50 or so government agencies who rely on us, and they use us to illuminate their supply chains, evaluate risk factors with the suppliers, make decisions on vendors that they're working with and continuously monitor risks associated with some of their key 3rd parties. I know we're going to talk a lot about supply chains and 3rd party risk management throughout the day.

And so we're bringing technology to bear to really, and data to do that as quickly as possible in a way that helps companies make better business decisions, meet regulatory requirements,  compliance requirements and help government agencies evaluate whether companies are meeting regulatory requirements and also anticipate risks and supply chain.

And so, when I think about risks from a supply chain perspective, we're gonna spend most of our time, obviously talking about cyber security risks, but there's certainly other risks, operational risks of whether a supplier is going to be available. Providence integrity of a product, you know, whether financial risk, reputational risk, concerns about environmental, social governance issues.

So there's a range of risks that actually we're thinking about. And all those reasons might cause you to either not choose not to do business with somebody or to have a, you know, a risk mitigation plan in place in case something happens if you exist a more concentration risk or anything like that.

And so that's what we're doing as a company. I came aboard about 3 years ago to really focus our offerings around critical infrastructure companies and government agencies to think about critical infrastructure. And so most of my time is thought thinking about what I would call security, availability and resilience risks,  for companies that are critical infrastructure, energy companies, telecommunications companies, key I.T. Companies, as well as government agencies who really want to make sure that those key suppliers, healthcare companies as well. Those key supplies are available because those are so important to community will be in the national well-being. 

Justin Beals: Yeah, I know it's a massive market, and extra has grown immensely.

It's great company and they've done really well. But you guys, I'm loathe to call it a niche, but it's an interesting area in that you're a private enterprise, but a bridge between government and a lot of agencies and businesses, but usually large businesses. 

Robert Kolasky: Yeah, I mean, one way to look at the story, and I think a good example of how we've been able to successfully grow our business in, in contributing, um, positive mission outcomes is around the defense department. 

And so we have several clients in the defense department of, you know, both certain services and parts of DOD headquarters and in the fourth, fourth estate at DOD and the like, and they use us because the defense department rightly has a very low tolerance for risk, particularly around cyber security risks. We'll talk about CMMC and other things a little bit later, but around cyber risk around foreign ownership and control risks, don't want to find a component that was manufactured. That's was manufactured from by the Chinese by Chinese company that's influenced by the Chinese government. 

That is key to a war-fighting effort, right? And so DOD is defined a pretty low tolerance of risk, and they look at Exiger to help evaluate their supply chains. At the same time, the defense industrial base and the big companies also look at us as a way to meet their requirements. The defense department put on them and be ahead of the defense department requirements so that as the primes are putting together, you know, their teams of suppliers to go after executing against, you know, something that's necessary for the warfighting mission. 

They are also relying on us to look, look deeper into their supply chains to make sure that products are secure, that they're trustworthy, that they don't have risks of espionage and things like that.

And it's, it's that righteous cycle of being trusted both by the defense department and the defense industrial based companies that's helped make us successful. And it's, you know, it's facilitated a conversation because. They both have similar views of what where there's risk in their supply chain because they're using our tools and hopefully, it helps increase trust and saying, okay, we are seeing this in our supply chain.

We, as a defense industrial-based company, and we want to get to managing it, but perhaps it can't happen. You know, we can't eliminate that risk immediately. So let's think about how the defense department and the whole ecosystem can be strengthened, you know, eventually go down all the way to critical minerals and things like that, where you want to have a critical mineral supply that's necessary for all the electronics and technologies that go into weapon systems.

And it's not going to be the defense industrial-based companies that  are able to create that trustworthy, critical availability, critical mineral supply. It is us policy, right? And the defense department needs to work with the interagency, things like that. And so actually has really, I hope facilitate. facilitated, you know, collaboration to manage supply chain risk between industry and government. And we've served as a trusted standard that they both can rely on to identify risk. 

Justin Beals: I'm excited to get into CMMC and some of the changes,  current administration and the defense industrial base, because that's, that's a lot of change recently, but I wonder if you'll take me back cause you've been in this market and these types of solutions much longer than I have.

And it seems to me that  I was blown away five years ago, six years ago, when I was researching the work we do today, that about 70 per cent of major breaches were coming from a third-party breach. It must be that you, Bob, in your work, like you've lived this arc as third-party breaches became the most prevalent form of a major incident over the last decade or 15 years.

Robert Kolasky: Yeah, You know, why do cyber trends change? Cyber trends change because adversaries see opportunities to do harm. Right? And so 3rd party breaches became a mechanism that is so popular now that as 1st party systems became a little, you know, people invest more in their own information security controls and things like that, um, you know, to hit a target became perhaps easier through a 3rd party than a 1st party because there were so many 3rd parties there and, you know, in general supply chains and use of 3rd parties has increased in general, which is has increased attack surfaces and adversaries go where attack surfaces are there. 

And then the, the other aspect of kind of what we've seen in 3rd party attacks is it can be a little less you, you do 1 thing, and it has broad impact. Right? And so, you know, perhaps we've seen adversaries. We've certainly seen criminals be less discriminated in what they're trying to do and sort of just trying to pop things and hit ransomware against systems and throw things into 3rd parties that if they configuration between the third party and the first party aren't in good shape. You all of a sudden, again, you have a wider attack surface, you have a wider success rate. So, you know, I think, unfortunately, both third-party attacks as an intentional way to try to break into things you care about through cloud services providers and gaining access for CSPs for the like, as we've seen with the Chinese government, as well as third party attacks as a source of indiscriminate, you know, increasing the harm you can cause, you know, making it more cost-effective as an attacker to go after things. And then we've seen both of those increase. 

Justin Beals: Yeah, that combined with some of the technology monoculture, changes we've seen, yeah, it gets really tricky.

I mean, it wasn't an adversarial attack, but I think about the crowd strike outage has been like a resilience issue, um, in the software development lifecycle, and that's, that's a third-party provider for a lot of organizations. 

Robert Kolasky: Yes. And right. You know, that's the sort of indiscriminate aspects of something happens in a third party, and all of a sudden, you have flights.

And you know, I I, I tell the CrowdStrike story from, I was in Minnesota, that's the first time I've flow flown Delta for a while, but I got a couple extra nights in Minneapolis thanks to, thanks to Delta and not the CrowdStrike tech, thanks to CrowdStrike in Delta. And I, I don't, you know, and Microsoft, I don't know who to blame, but I, you know, Minneapolis is nice.

It's saw an extra baseball game. 

Justin Beals: That's great, Bob. Yeah. Well, you had, you represented your own resilience. A moment of opportunity. Yeah. 

Robert Kolasky: I'm not afraid to make the point that I'm waiting for Delta to reimburse me for the hotel, and I don't know what's going to happen yet. So I'm hoping Delta will improve its resilience practices going forward.

Justin Beals: You worked for the federal government for many years and I want to dig into some of those experiences, but at a high level. I'm just curious. What are you considering the most significant emerging threats from a national security infrastructure perspective today? 

Robert Kolasky: Yeah, I mean, I think it's what I call hybrid geopolitical threats, and, you know, I would associate these most likely in the current environment with China and the Chinese government and the risks of escalation for reasons that the Chinese government decides we're going to move closer to conflict with us. And so when I say hybrid, it's, it's not just a cyber attack.

It's a supply chain attack. It's an information. There's an information element of it. It is thinking about are there physical harms you can cause and thinking about actually which all sort of shorthands in getting critical systems not to work, which has operational impact on the real world.

And that's so much of the first 10 years of sort of thinking about cyber attacks and critical infrastructure, we're really focused on the private sector itself. We're focused on protecting information and intellectual property and the like, but now we're really in a moment where you can imagine adversaries intentionally trying to cause harm in the operations of critical infrastructure.

Again, let's not let's not anchor on CrowdStrike as a cyber incident, but,, you know, you see operational impact of what happened with that software glitch. You see operational impact of what happened with colonial pipeline and ransomware or malware on an it system you've seen schools hospitals this year that aren't doing normal business because of ransomware.

And that's all. You know, that's all much lower level than if a, if a, you know, motivated nation state decided to do things around critical infrastructure. We need to plan against those scenarios. So much of what we need to do in cyber security from a national perspective is contingency plan to be prepared to operate to defend the most critical things and then operate under degraded conditions IT systems that aren't working as intended. 

Justin Beals: We're in the midst of an administration change probably on the. The back third of it, for presidential leadership in the United States. You've been through a bunch of administration changes over the years. How are you considering this current one, especially in working with your customers and the broader DIB marketplace?

Robert Kolasky: Yeah.  So, you know, my background, I was in the federal government from 2000. Uh, 8 to 22. And so I did some contracting work before that. So, yes, I have seen several ones, you know, had an opportunity in the 1st, the beginning of the 1st Trump administration to serve in senior levels and acting roles in what is now the cybersecurity and then helped us as the Biden administration took over.

I mean, what is different here? Is clear. First of all, the president and the people around the president have experience running the government. And so they had a theory of running the government that they were ready to implement on day 1. it is a theory that you know, through the doge effort, the Department of Government efficiency effort and other changes.

It's a theory to put some pretty dramatic changes within the federal government. So. You know, that's, there's a little bit of shock and awe in what's going on with the federal system, federal government, and we'll talk about it in the context of cybersecurity here. And because of that, there's a little less certainty of kind of how this is all going to play out and what processes and rules and things that were in place are still going to be in place after, um, after sort of, You know, the 1st 100 days are over.

And so I think, you know, the dramatic pace of change and the uncertainty about what the rules and strategies are creating a moment where people are trying to make sense of that any change of this level, you know, creates both opportunity and risk. And so, you know, what we're doing with our clients is trying to try to track and stay at stay up to date on kind of what's the new requirements are and what, what new risks might emerge, but, but also see where there's opportunity to take advantage of some of the government reform to, um, build stronger supply basis. 

Justin Beals: Yeah, I've heard interestingly, like, I think you're right. I mean, I think they have the perspective on where they think the most valuable spend is, or what the right amount of spend is.

I was talking with a colleague the other day, and they were saying, you know, we went through some fairly sizable cost cutting during the Clinton administration, but it was a little more plan laid out. This is what we're doing. This feels a lot more chaotic in the role. 

Robert Kolasky: Yeah, you know, I say, from my perspective, as a former government executive, I was happy with the idea of zero-based budgeting.

I'm happy with the idea. Zero-based budgeting means that you when a new boss comes in, and we see this in the industry to you have to defend every dollar you're spending because it's producing the outcomes. And that's a good discipline to have. It's also a fine discipline to say, hey, we want to cost cut.

10 percent we want to cost cut 20 percent whatever the target is, what I really hope, and I say this is a career civilian senior executive in the government. What I really hope is they rely on some expertise of what works and what doesn't against those targets, and that's what I'm hoping that we will eventually get to where, you know, okay, the targets are aggressive, but that's fine.

Let's do it in the right way to help the president achieve what he wants to achieve and not just. You know, indiscriminate cutting. 

Justin Beals: Yeah. I have to say, um, I don't know everyone that has been a civilian employee for the DoD, but I have known a few, and not a single one of them has ever said, we just need to spend more money and the problem will be solved.

All of them were interested in effective practices for the mission that they felt dedicated to. Yeah. 

Robert Kolasky: Yeah. And the constraints to do the mission effectively.  Drive most people have been a senior levels government crazy, right? There are constraints that are in place that if you can knock down those constraints so that leaders can move faster and more effectively get things done, you will have a bunch of keep national security professionals on your side, but it's been smart about going after those constraints. 

Justin Beals: Yeah. So, um, one thing that you mentioned that has been a big, uh, shift recently in the D. I. B. I think we've kind of seen it coming from a third-party risk perspective is the CMMC standard.

you know, maybe I'd like your take before I  seed the ground with too many questions on CMMC broadly in the initiative there. 

Robert Kolasky: So, one of my colleagues at Exigerer up till week ago was Katie Arrington,  who just went back into the went into the administration as the Chief Information Security Officer, the Defense Department.

And so Katie, will happily claim some, some ownership o over the genesis of CMMC, and she and I worked together even before we were Exiger, when I was at DHS, she was at DOD. And, and so, you know, Katie's taught me a lot about kind of how to think about CMMC, and I know she's passionate, and, and I would, I would read her coming back into the defense department in a senior role as, as a sign that,you know, it's, it's full bore ahead with CMMC and that's certainly how we're thinking about it. 

You know, it has been CMMC has always seemed to me, at one level to be just. It makes sense, because it is asking companies in the defense industrial base to follow standards that they should be held to the NIST 800 171 standards if they have, controlled unclassified information to do that.

And, you know, the question is, how can you most cost-effectively, ensure that companies demonstrate that they're following 800 171 to the right level risk assessment. And, you know, I wish if you told me in 2018, that we would only made this much progress in CMMC, and I would have said, you know, that's a case where the constraints got in the way, right? 

And something, something's gone too, too slowly that it has gone. But, 7 years later, too slowly should have 7 years later. Let's say, okay, why don't the bridge? We've now built the ecosystem. We now know the requirements of place. So let's make sure that companies don't leave the defense industrial base because CMMC is too burdensome with compliance, but they recognize that they have to demonstrate that they invested properly in cybersecurity controls.

And that's always a trick with any regulatory effort.  I'm hopeful that, you know, the amount of feedback and the effort that's gone into that with the line will be threaded by the administration. And so, you know, I still generally think CMMC is a good idea. I just want to see finally, let's get over the finish line with a cost-effective implementation.

Justin Beals: Yeah, certainly wide variability and costs. We, here's, I mean, there's a lot of,  I think rumors, you know, one of the rumors that we heard at some of the recent conferences we've joined us at the C3 PAOs are pretty filled up. If you need to perform beyond a self assessment that you just need to be prepared to do that.

But of course there's a lot of opportunity for technology as well. That's where we tend to play to support companies and, to your point being efficient at getting the outcome. 

Robert Kolasky: And that's where having technologies, you know, get the approval of the ecosystem to be a trustworthy way so that maybe there's a more cost effectively way, particularly for lower-level CMMC rating systems, to demonstrate compliance.

That's the kind of innovation that we need. 

Justin Beals: Yeah, you know, the one thing that cropped out of CMMC that I thought was really interesting and innovation in kind of the standards marketplace is a more quantitative approach to compliance is, you know, everything we do from sock to even to FedRAMP is like a pass-fail as opposed to CMMC.

You get a score at the end of it. Yeah. 

Robert Kolasky: Yeah. You know, and Going back to what we do at Exiger, like we, you know, we do risk score suppliers for a variety of different things, including their software development practices, software risk, and things like that. Not exactly for the CMC use case, you know, I think scores are good.

Heuristics in terms of see things relatively, how they compare to each other gives give some a better effort to do trending over time. Help you look at the overall enterprise. So, I am I'm a fan of metrics and scores as metrics. It all depends on the quality of the methodology to put them together. And I, you know, I hate for people to assume that a score is too precise, and I hate for people to assume that a score will always stay the same way. Yeah. But no more numbers, the better cyber security. 

Justin Beals: Certainly.  I mean, precision is a big discussion I have with my team all the time, because we sometimes sit at the nexus point of an operational characteristic and how we're going to assess it.

And you can have like. Not enough precision, so it's all mushy. The data doesn't tell you much at all, or you have to find a precision where we're imagining that we've got a very fine, precise measurement, but it's it's really just  probabilistic in a way in a range, right? The air boundary is  large.

Robert Kolasky: yeah. I dealt with that a lot and, you know, my first job at Homeland Security was in an office that was called the Office of Risk Management Analysis, which was trying to develop risk metrics for the whole Homeland Security mission. And, you know, there was too much trying to be precise for uncertain unknown.

And I used to get very angry when I saw decimal points talking, you know, when we're talking about these big strategic things, and I used to get very angry when I saw a threat. Being multiplied times vulnerability being multiplied times consequence, you know, that's a risk. That's a risk formula. But if you use that risk formula too much with decimal points, and then you come up with 3 kind of overly precise decimals being multiplied against each other to create an even note, you know, it gets wild so much nuance in the end.

Yeah, so, you know, sometimes a heat map is what you got to get to. 

Justin Beals: Very dramatic differences,  but you're like, Oh, you know, but the thousand points, it's within the barrier of error. Yeah,  it can be. Fun to play with the math, but the statistics start to lose meaning. 

Robert Kolasky: I used to go to society risk analysis meetings, and I decided after a certain point, I was like, okay, I figured out what's going on here, and I got to move on to a different group study with But more power to the people who are evolving risk models.

Justin Beals: Yeah. I mean there's there's certainly a it's fun to create. Uh, I know that as a product person, speaking of creation, you were the founding director of the National Risk Management Center, and I was just a little curious about what it was like to found that institution and, uh, get it off the ground inside the government.

Robert Kolasky: So, in 2018, the same year that the Cybersecurity Infrastructure Security Agency Act was signed, uh, Secretary, then Secretary Kirshen Nielsen established the National Risk Management Center. And, as you said, I had the opportunity to be its founding leader as part of being assistant director, it's at CISA there.

It was, it was for me, an awesome opportunity to try to be entrepreneurial within the federal government and the NRMC was really stood up to do industry-government collaboration a little bit differently to recognize that we really had to study our critical infrastructure in the U.S. to understand where our strategic vulnerabilities were and that we had to actively collaborate with industry to work to address some of those strategic vulnerabilities in the face in the face of threat actors.

And, you know, doing that at the same time that system was established the first agents, you know, still the last agency within the federal government that was established. You know, there were lots of significant cyber risks. Mhm. And hybrid risk that the country was facing it. And we have the opportunity, both that system within the NMC to be in the forefront of addressing some of those risks and hopefully advancing did a lot of work.

Initially working with election officials securing their election systems in the face of foreign adversary threads. Start to look at some emerging technologies that could present threats, you know, ways to understand the interdependencies between if the electric grid falters and what would the impact be on the financial, financial sector or on the telecommunications sector.

And so, we were looking at sort of systemic risks of the National Risk Management Center and trying to prioritize the things to address. 

Justin Beals: Yeah, and then it is interesting because I feel like there's been a transition in national security in a way from a very like the military helps protect us to a public- private partnership, right?

Like, especially in the digitally connected age and so much of the critical infrastructure to your point is now run by private industry. But you know, the government and the, and the, the private industry, they have to work together to create effective security. 

Robert Kolasky: Yeah, absolutely. I mean. You know, that's just the reality.

You know, we, let's talk about some of the things I've already brought up, like cloud service providers, right? So many people rely on cloud service providers in the hyperscalers for their operation, Amazon, Microsoft, Google, so you have to be able to work with them. And then, you know, the platforms that are delivered through the cloud service providers, and then the kinds of things that are necessary for us to continue to be strong as a country are having a strong energy sector, having a strong financial sector, if something happens from a disease perspective, having a strong health and public health sector and the government doesn't in the United States, they shouldn't anywhere run all aspects of that. And instead, you know, council and industry, being the deliver the operator of critical systems and industry, you know, helping lead and prioritize the security resilience efforts that are needed, whether it's a cloud service sector or electric utility or a telecom company.

Justin Beals: Yeah. It's such a big purview and, uh, National Risk Management Center that sits under Department of Homeland Security. So you're crossing a lot of different agencies with an organization like that. What did you feel like was the biggest challenges you faced with the NRMC's mission during your tenure?

Robert Kolasky: Yeah, so the NRMC continues to work across 16 critical infrastructure sectors. Just mentioned a bunch of them, energy, health, public health, water, wastewater, banking, financial sector, chemical sector.  And so I think implied in your question is right prioritization is always a challenge,  getting an understanding how systems work and keeping that understanding current so that you understand where strategic vulnerabilities are and how systems will cascade.

That still remains the primary mission of the National Risk Management Center to be the smartest hub to understand critical infrastructure in the United States and to bring it forward. The interagency together in industry together to help set priorities for addressing strategic vulnerabilities protection priorities, or resilience priorities around that.

And that means information sharing. That means building trust, and that means once you set priorities, you know, having the ability to address them and leveraging partnerships to get things done. And so, you know, those are sort of macro challenges. You know, I'll give you an example; you know, the 1st brief we got was in January 2020 about the pandemic, right?

About COVID. And, you know, we were coming out of a period where we, the US government, had just assassinated Soleimani and in Iran, or had killed Soleimani in Iran attack. And we had been spending four weeks thinking about kind of what if we escalate with Iran? What are the critical infrastructure protection top priorities for that?

And all of a sudden we hear through our health colleagues and intelligence channels that, Hey, there's a pandemic in Wuhan, or there's something weird going on in Wuhan. And so how do you then spin up efforts to, okay, what could happen to our critical infrastructure because of a public health crisis, you know?

I didn't have responsibility. We didn't have any responsibility for managing the actual health outcomes relate to pandemic. That's the health community, but we did have responsibility for making sure that the pandemic when infrastructure workers. Couldn't go to work because of whatever reason that that still with the infrastructure still functions, you know, we all saw this with just the movement to zoom and the like, and, you know, the reliance on ICT infrastructure.

But, you know, we, we really worried about whether there was going to be availability. Food was whether there's going to be availability of, water, you know, could we continue to function systems? And so, you know, we had to, and what we were able to do within, like, 8 weeks is identify a priority list of essential critical infrastructure workers, the workers who had to be prioritized to be able to continue to work, even in the middle of what was in a very uncertain pandemic.

 And we published an essential critical infrastructure workers list and said, these are the workers that you should prioritize. You know, even when you have restrictions of people's ability to work, they should work.

And if they need, you know, if they need protective equipment to continue to work, you should prioritize getting protective equipment to them versus other people. And 40 states or so ended up, they didn't have to, but they ended up carrying forward the federal list of essential critical infrastructure workers through their governors, putting their own executive orders in place to say, these are the workers in my state who need to be able to work.

And so it's an example of our ability to sort of understand from a risk perspective, who was most important that had to work and then have that pushed out as sort of a national standard of, you know, central critical infrastructure workers. And, you know, the reason we were able to do it at the NRMC is we had the relationships with industry.

So we could have a sort of data call about, you know, who's most important. To keep the functions work. We had already identified functions that we thought were the most important, but tell us which types of workers are most important for these functions to work. 

Justin Beals: I find this so intriguing. I actually just had a conversation with a friend in the last week, and they were talking about their relative perspective on how the pandemic was handled versus some of the economic impact.

And my point about it was, I think if you looked at what we were being told, you know, the death toll could have been 3 to 5 times higher if we had not limited human interaction. And, of course, that had an impact on the economy. And if you look at what was happening with China, where people were bringing dead relatives to the government office to say, Hey, you know, my family is dying.

We're not doing anything about this. That seemed to me that one of the fears and risks in the analysis that factor into your calculations as you were looking at what was happening?

Robert Kolasky: So now you've got me on something that I can talk about for a long time. So, you know, we lived, I lived it. Just like all of us, but I lived at work in it linearly.

And so. If you put your head back in what you knew and what period of February, March, April, May, whatever, and the level of uncertainty,  you know, now we were having all these conversations about do we get the science wrong? When do we and, you know, scientists will say we got the science wrong? They didn't intentionally get the science, you know, let's, let's not get too far on the science, but translating science into security outcomes.

And so, you know, I'll give grace to the period that the first goal was to save lives, and the science was uncertain, and we had to try to maximize save lives. What does frustrate me is we hit about the late summer, and it was time to bring other things into the national goal. So saving lives was one thing, but making sure that the economy still worked was another thing, making sure that kids were still getting educated, that communities, community relations were still, you know, there were other metrics that could have been part of the equation.

And if I am critiquing one thing that the government did there, it's like. We managed to the public health metric for too long at the expense of other metrics where we should have had a more balanced set of metrics to manage against. And that might have caused people to have different trade-off discussions.

And, you know, I say that as somebody who lived in DC and had had my kids, you know, at least my youngest kid missed going to school in person for more than 14 months. Yeah. And, you know, in hindsight, that wasn't right. And so it's like, you know, okay, I understand how we got there, but, but the trade-offs weren't right.

And it's the other hobby horse I have here is, I'm actually in London right now, but the UK has done this awesome job of, uh, you know, national government-led multi-year after action report of what, what the country got, right. And what the country didn't get right and deal with a pandemic. And we just haven't had the same thing in the U.S.S., and I would like to see it because I would like it to be baked into learning, um, learning and the like. 

Justin Beals: I mean, I think to, to your expertise, there's a science to risk and risk analysis, even. And also it's, it's a constantly changing environment. You know, if, you get a chance to be six months into an action plan and review the current risk landscape, and we need to do that from small, even in the private sector, from small businesses to big businesses, what are the changes in our environment that we're most concerned with on a regular basis?

Robert Kolasky: There's this view, right, that consistency is a sign of strength and, and, you know, and then, you know, I think what you're asking about and what you and I would probably agree it is you should only be consistent, consistent, except that data doesn't cause you to change your mind and new information doesn't cause you to change your mind, and actually there's great strength in being willing to take new data and new information.

You know, change your recommendations. And, you know, that's just at a political level. That doesn't seem to happen that often. 

Justin Beals: There was another bit of your background that I was really interested in. I started out my career in computer science on the networking side with British Telecom. But you were involved in the 5G spec and security around the 5G spec.

And I was just a little curious being with your hands in the belly of the beast. What were the most contentious Security issues that you were dealing with with 5G and the community there?

Robert Kolasky: Yeah, so, so I, you know, that was 1 of the early projects that we took on in the National Risk Management Center is trying to think through 5G security and, you know, a lot of that was driven by.

Our understanding, you know, most of this is public now, but intelligence-derived understanding about the risks of Huawei and ZTE and Huawei and ZTE is being a source for espionage and information collection and the like, within the 5G network. And so, you know, a lot of what we were trying to do was.

Figure out ways we could convince allies to, or advocate for allies to not use Huawei ZTE. We'll work with telecom companies to sort of help push that. And there were, you know, there were restrictions in the past. Congress on Huawei ZTE telecom equipment being in things and continue to push that and then look for the open radio access network.

You know, what can we do to push the open radio access network standard as an alternative to the closed system where Huawei ZT at the time where Huawei certainly was dominating and Ericsson Nokia and Samsung were some of the other players. And so, you know, we ended up doing a paper about kind of how you think through the period where before you get to, and we're still at the period before open radio access network is really dominating the 5G market where you can help strengthen Nokia and Ericsson and in the marketplace against competitors, which were untrustworthy and, you know, that thing goes to the standards, actual standards discussions.

And where are there levers at the standards? And, you know, we were working on at the interagency level, working on principles. They were called the Prague principles where asking our allies to, endorse the set of principles because we, you know, this was all pushing to make a healthier supply chain for telecom equipment in the 5G market.

And so that was a big area of where my focus was. 

Justin Beals: I feel like we pioneered the back door and the telecom equipment only for others to figure out how to exploit it later on.

Robert Kolasky: And the back doors keep changing right now. And, you know that. You know, you asked me earlier about the biggest risks and the Chinese campaign against the telecom companies through salt. It's an example of that. Yeah. 

Justin Beals: Yeah. I mean, when you think about telecom and infrastructure, even very recently, some of the cable cutting in the North Sea was just an absolute. I mean, it's not a hack. It's but in a way, it is, you know, it's just fairly disruptive now.

Robert Kolasky:   It's an example of the hybrid threat. You know, that's a very good example, right? Where it's a physical attack on a system that basically has the same realities that a cyber attack could have, right? Yeah. And so it's like, you can either harden the cyber ends of it, or you need to harden both the cyber ends and the physical ends. 

Justin Beals: Now that we have so much autumn, I was, uh, I have been watching intently with, um, the progress of warfare innovation in Ukraine and with Russia, and the amount of drone work that's going on is absolutely surprising how quickly they're innovating, and that runs underwater on the water, above the water. It is a fast pace of change from a warfare perspective. That's happening. 

Robert Kolasky: Yes, very much so. 

Justin Beals: I did have one last, uh, uh, standards and third party trust with federal government question that I'm really curious about. How do you think about, uh, FedRamp? You know, from an auditable framework and standard and the emergence of CMMC.

Do you think those compete? Should they have separate areas and lanes? Uh, how do you perceive them? 

Robert Kolasky: You know, I tend to agree with the path we're on of them having separate. Areas and lanes. We at Exiger are very proud of being FedRAMP certified for the provision of our software as a service. And, you know, we went through the FedRAMP process, and we engaged with the 3PAO, and you know, it was a couple of years of, you know, having to comply with a lot of things, and it was a, it was a cost. You know, I've, I've talked to our chief information security officer and, you know, he tends to be pro security anti-compliance, right? Like most chief, right? But, but he, you know, acknowledges the kinds of things they're asking to, you know, help us up our game. And it's worthwhile to demonstrate that.

So, you know, I'd like to see the FedRAMP process speed up a little bit and be more available to things. But, I do think the FedRAMP process, which is, you know, intended to ensure that cloud service providers for the federal government meet certain security standards before the federal government enables them has to have a higher standard of risk, perhaps, and then all aspects of the defense industrial base.

And I think that's appropriate because of the integration, you know, are there ways to get credit for doing one into the other process? You know, they call that a little bit regulatory harmonization. And so, if you've gone through the FedRAMP process or some level that should you get some credit on your CMMC?

I hope you can figure that out and vice versa. So I do think you probably streamline some of the evaluation of the questions of the questions that are being asked. But I do think, you know, it's a Venn diagram in the middle of the Venn diagram isn't enough of an overlap to be worth to say that there should only be one.

Justin Beals: Yeah, I think we'll see many. Okay. I mean, that's just what we've seen broadly in third-party risk management and frameworks is that everything from, I think in the last two years, one of the things that really surprised me was watching German auto manufacturers asking for TSACs compliance, which is an audible standard.

It's just not, there's just not going to be one per company. There's going to be a lot, I think, and more and more.

Robert Kolasky: And you know, As efficient as it can be made to demonstrate, you know, right. I still do fundamentally believe that if you have a dollar between security regulation should compliance should go to security.

So, but solutions that will make compliance more efficient, both from a policy line, but then from an opportunity lens for private companies like mine and yours, like, how do we help more efficiently collect information to demonstrate compliance against a number of different regimes? Um, I think, you know, I see great opportunity there.

Justin Beals: Yeah, me too. Bob, it has been excellent having you join our podcast today. We really appreciate your expertise and your service. Yeah. 

Robert Kolasky: I hope so. And I thank thank you for that, Justin. And I thank you for having me and always happy to come back and we'll see how this all plays out. 

Justin Beals: Good. Well, maybe at the end of the 100 days, we can do a little bit of that.

Look back and see, see how far we and Bob have a great day today. 

Robert Kolasky: You too, Justin. Thanks.