Video Interview: Leia Shilobod on Navigating CMMC Compliance with Expertise and Innovation

by Mark Berman | CEO, FutureFeed.co


Mark Berman: I’m Mark Berman. I’m the CEO at FutureFeed, and I’m here with Leia Shilobod at CIC 2024. Anyway, we’re here in Mission Bay at CIC 2024, which is a CMMC conference.

Mark Berman: “So what brought you here? And tell me a little bit about what you do and why you’re here, more importantly.”

Leia Shilobod: “Okay, awesome. Yeah. So I am here because, well, first of all, I’ve used FutureFeed for I don’t even know how many years now because I recognize that for my business, I’m an MSP, and we also help DIB contractors to be able to get and stay compliant. We have a whole compliance program that we get them into and help them follow to do that. I recognized early on that spreadsheets don’t work. We need a GRC tool. So I’ve been a huge proponent in the industry telling people that they need a GRC and that they should use FutureFeed. And then last year when you decided that you were going to do a whole conference about CMMC, my favorite thing to talk about, I was like, I’m in, I’m in, I’m coming. I’m gonna have a table. I’m gonna talk. I’m gonna do all this great stuff. So I’m back again this year because last year was so awesome and amazing. Like, the people that this attracts are so engaged. They want to share information, they want to help, they want to support. So it’s a great place to be able to network. It’s a great place to be able to find really smart people who understand CMMC and all of the regulations around it, understand what this looks like in real life, be able to get answers to questions and connect to resources. And I’m also here again exhibiting so that we can help organizations to be able to get compliant, stay compliant, both DIB contractors and helping MSPs to do that, too.”

Mark Berman: “So what kind of people have you met here at CIC?”

Leia Shilobod: “So I met DIB contractors are here. Actually, some of my clients are here. Good job, guys. Get some more good information. We have solutions, providers that provide MSP services, MSSP services, just consulting. There are, there’s also C3PAOs here, which is excellent because you get to talk to them in a more informal way.”

Mark Berman: “So the C3PAOs are the people who are going to be inspecting your clients?”

Leia Shilobod: “Yeah. They’ll be providing assessments for the certification. And that’s really valuable to be able to talk to them here in an informal way because it’s going to be very important to you select a company that is going to align, you feel comfortable with, you’re able to talk with, and it’s not going to be, it’s an important decision to make. It’s going to cost a lot of money. So here you actually get them, not off record, but in an informal way, to be able to say, do I like this person? Would I enjoy working with them? And it’s better than just like a phone or Zoom interview or something like that.”

Mark Berman: “So, so if I’ve hired you, so if I have this right, I can hire you to help me get ready for CMMC. Yes. And in addition to hiring you to help me get ready, I can, I can come to a place like CIC and learn even a little bit more. But why would I do that? If I have you to help me get ready, why do I need to know anything about it?”

Leia Shilobod: “Right. So it’s a, it’s a, you can’t, if you need to become certified yourself, you cannot abdicate that risk. That is yours, that requirement. You can’t abdicate that to an external company. It doesn’t matter who it is, you own that risk.”

Mark Berman: “I own the risk, yeah.”

Leia Shilobod: “So you have to understand it. And can I give you tons of information? Yeah. I love talking about this. I throw up on people, I give them a safe word. If they ask me a question, they say too much. Yes, I do, but it just can’t be me. Like they need to hear, like sometimes maybe I’ll say something, they hear it differently from someone else and it sinks in. Or, you know, like this body of knowledge is so large, there’s no way that one person can know it. In fact, if somebody says, I have all the answers in CMMC, I’m like, that’s BS, sorry, that’s gonna be on camera, can bleep, bleep. But I mean, I really feel that way because no one person knows everything. So coming here, you get to have like really smart people and their specific areas of expertise that you get to learn from. You really need that. So I come, I understand. If I’m going to own a risk, I need to understand it.”

Mark Berman: “Is that the only, is that all I need to do? So I get enough understanding, so I understand what’s expected of my company, and then I hire you to do it for me.”

Leia Shilobod: “Well, I mean, not just that, I mean, you have to understand, like, you know, it’s not just hire an MSP, right? So like, you know, I tell everyone they need a GRC tool, so they have the opportunity to learn about a GRC tool. They have the opportunity to learn about other security tools that you need to implement. To meet the technical controls. You have to select a C3PAO. So you get to learn, like, what should you even look for in those things? Maybe you have a question, like what? I hear a lot. What is our CUI? I don’t even know. Well, there’s answers and sessions here about that because you also have to determine what it is that is CUI or what it is you’re going to treat as though it is CUI if you’re unsure. And there’s resources for that here as well. Like, there are so many things you have to learn, and you as the person, the organization that’s getting certified, you can’t just, you can’t just hire somebody to know everything for you. You need to have an understanding of these things. Maybe you don’t have to understand how to implement every single one of those controls, but you have to understand what they mean.”

Mark Berman: “Understood. So in full transparency, you’ve referred to FutureFeed, which is a tool that I provide. It’s a GRC tool. What do you use it for? How do you see it? How do your clients benefit from using that tool versus a spreadsheet or any other tool?”

Leia Shilobod: “Well, the CMMC is 110 controls, and then you can’t just. It’s not just that control itself, that safeguard, it’s all of these assessment objectives, which ends up being 320 things. You have to. 320? Yeah.”

Leia Shilobod: “To say I’ve done all these things, and I know I have done all these things, that’s a lot to keep track of. So having a tool, a sophisticated tool instead of a spreadsheet, to be able to not only track are we doing it, but then how are we doing it? And what’s the relationship between maybe some of the technical tools that we’re using and that control? Like, how is that linked together? What about the documentation and then how that relates to a control? It’s very, very difficult to do that in a spreadsheet. Or maybe you do it in a spreadsheet and then maintaining it over time is nearly impossible.”

Mark Berman: “So the assessor is going to ask me not just am I doing it, but how I’m doing, how I’m maintaining my cybersecurity and controls.”

Leia Shilobod: “Yes.”

Mark Berman: “And I’ve got to be ready with an answer.”

Leia Shilobod: “Well, it’s not, and it’s not just for the assessor, it’s for you to know you’re ready for assessment. Right. So how do you even know if you’re ready for assessment? If, you know, you can’t be really clear about are we actually doing this thing? And FutureFeed allows that, allows you to do that, allows you to say, okay, here’s all of our documentation, I’m going to put that in FutureFeed. And here are the technical tools that we’re using. I’m going to put that in FutureFeed and I go to the controls and describe how we’re doing it, maybe in writing. And then at the bottom you link over. Okay, so we also have IT policies that address this. We also have this SOP that addresses this. We have this technical tool that helps us to secure that. And then you can see in one place you’re confident I’ve got this control down.”

Mark Berman: “And then, so supporting the control is a combination of the tool, the documents, and I guess, the people running the tools and using the documents.”

Leia Shilobod: “Right. So it’s all of those things. You document it so that you feel ready for an assessment.”

Mark Berman: “Yes.”

Leia Shilobod: “And also that you are ready for an assessment because the assessor is going to ask you about all this.”

Mark Berman: “Yeah. And then it’s all there in one place.”

Mark Berman: “Okay, very good. Is there anything that I didn’t ask you about that you’d like to share?”

Leia Shilobod: “I know you have a coaching program. Can you tell me a little bit about your coaching program?”

Leia Shilobod: “Yes. So, because we got really good at helping companies that need to be certified to implement this cybersecurity compliance program using the controls. And we have a toolkit which is also available in FutureFeed, which is like all the basically how to do that and includes templates, a lot of MSPs. I like making friends, Mark.”

Mark Berman: “You know, like making friends.”

Leia Shilobod: “I do.”

Leia Shilobod: “So tons of friends who are MSPs, they’re doing this work too. And they were like, we need this kind of help. And I’m like, okay. So I got them all together and I’m like, this is what we’re gonna do. I’m gonna license that information to you and I’m gonna show you how to use it. So we actually coach every single week. We’ve got coaching calls where we’re talking about like a deep dive on the controls. What does this look like in your clients? What does it look like in your MSP? Because now you have to get certified too. We talk about what’s happening in CMMC in general. We can answer questions like my clients doing this, is this actually compliance or do we have to tell them that it’s different? And then we also help MSPs have some accountability to implement the controls themselves. It’s kind of like, let’s hold hands and we’ll do it together.”

Mark Berman: “Okay. Yeah. So we do that, too. Fantastic. Well, thanks so much for spending a few minutes with me. I really appreciate it.”

Leia Shilobod: “Okay. Thanks very much.”

Authors

Tags