Compliance as a Competitive Advantage

Full Transcript

Andrew Lynch

Well , welcome , everyone. Thanks so much for joining today.

My name is Andrew Lynch , from Virtru. I'm joined today by Christopher Lank from Ivis.

Today , we're gonna be having a conversation around something that most organizations treat , as a burden , which is compliance , and we're gonna talk a little bit about some , competitive advantages and how organizations are using that , to to , speed up process , win more business , and have it be less of a burden. We have about thirty minutes for the conversation.

We're gonna save some time at the end for q and a. As a reminder , please feel free just to drop the questions in the Q&A section.

We'll be monitoring them and again we'll try and address those at the end. So I'll start by just introducing Christopher Lank from Ivis.

Maybe Chris introduce yourself and share with us a little bit about yourself and your organization then we'll get started.

Christopher Lank

Yes. Thank you Andrew and thank you Virtru.

My name is Christopher Lank. I'm the CEO and founder of Ivis Technologies.

Ivis is has been in the defensive industrial base for going on about twenty years now. Our software is really based around risk and compliance.

We started working with some of the larger primes and OEMs first. And over the past , probably seven , eight years , have done more and more into the actual supply chain base itself , both , commercially and and on the military side as well.

We've been , partners with Virtru now , I believe , five years , Andrew , if I'm not mistaken. Have done some integration work and , know Virtru very well.

So , we're honored and , happy to be here.

Andrew Lynch

Yeah. Thanks , Christopher.

And so , yes , likewise. Thanks for joining today.

I , of course , represent Virtru. We're gonna talk a little bit about where Virtru fits into compliance around protecting data at an object level beyond the perimeter.

And , we do partner with Ivis. They're part of the Virtru compliance champions program , which is something that we put together specifically for , really our CMMC focused , clients.

But we're not just gonna be talking about CMMC today. We're gonna be talking about compliance in general.

But at virtual compliance champions program , it is intended to be a resource for our clients and prospects that are going through , specifically their CMMC journey and see value in , other experts besides Virtru. We don't do everything.

We don't claim to say that we do. And , if it's a GRC tool , to help with , ongoing , compliance , readiness , etcetera , Ivis is one of our partners.

We are gonna be recording , today's webinar as well. So , if anyone wants to revert back to this or share this with a teammate , feel free to.

And , of course , please feel free to get in touch with either Virtru or Ivis directly , or happy to make an introduction to Christopher at any point in time. So , Christopher , why don't we start with the reality ? When you're talking with an organization for the first time , whether it's a defense contractor or health care provider , how are they typically describing their compliance program ? You know , what's the common thread you're seeing ?

Christopher Lank

Yeah. And Andrew , that's really a great place for us to start , because it it really kind of , you know , changes on who we're talking to.

But the current underneath is always about the same. You know you'll have let's say , a defense contractor who'll say , yeah.

We've , you know , we've got an SSP or we've done a self assessment and , you know , we think we're good. Right ? Or like a health care provider who might say , yeah.

We've been HIPAA compliant for years , or even like a , let's say , a government adjacent pharmacist. Yeah.

We passed our last audit. We're in good shape.

The one common thread though as we kinda dig deeper into the conversations with them is the one question we always ask. Can you show us where you stand today ? Okay.

Because what usually they have is a sort of snapshot in time , sort of a point in time picture that , you know , someone scrambled to put together sort of , you know , at the last time you know , last minute or something for an auditor or a a prime has asked them , you know , for something. You know , they've got , you know , a binder full of policies , but but they're not sure those documents actually match what's happening , you know , in the environment , you know , as they speak.

So there there really is this gap between documented and demonstrated. Almost , like I said , everyone's got a policy.

The trouble is very few of them can actually prove that it's actually being followed or actually being used. Okay ? And a lot of times , a lot of these compliance programs is usually just riding on , like , one or two heroic people who , you know , if , you know , one day they leave , it it comes to even a a greater risk.

And I think that's really what we're here to talk about today is , you know , compliance becoming part of the culture of people's organizations.

Andrew Lynch

Thanks , Christopher. And , yes , so on the virtual side , you know , we're not necessarily a compliance company , obviously.

We're an encryption technology. We're , again , we're encrypting data at the object level upon creation.

But it is pretty common that we're talking with organizations that do need to meet a certain compliance because there often are encryption requirements if you're gonna transmit or store that in the cloud or in different environments. And so but , you know , on your end , you're you are really more , correct me if I'm wrong , primarily talking about compliance on a regular basis to people , and that's where you fit in.

Christopher Lank

Correct.

Andrew Lynch

And we often do hear , you know , frustrations or the phrase compliance as a burden. And so I guess from your take , why do organizations have that mindset ?

Christopher Lank

Yeah. And they do because a lot of them really look at compliance as more like attacks.

You know ? And , you know , a lot of times , the clearest sign of , of that sort of compliance as a burden is usually shows up when there's a fire drill. Right ? You know , Prime sends over a security questionnaire or , let's say , an audit date lands on their calendar.

And and suddenly , you know , it's all hands on decks for the next few weeks. You know , people are digging through email.

You know , they're chasing , you know , screenshots. You know , they're actually asking , you know , where's this policy ? Have we fallen this policy ? And real the reality of it is a lot of real work for that organization stops while everyone is sort of , you know , here on fire moment.

Right ? But then the other the rest of the year , it kind of the pendulum kinda swings the other way , and compliance just goes quiet. Okay ? Because , you know , you know , the old saying , you know , where there's smoke , there's fire.

Well , there's no smoke , so nobody's really looking at it. Okay ? And so you've got organizations that are kind of , you know , lurching in between panic and neglect , and there's really this no man's land in between.

And and usually , again , underneath that , there's usually , like , one person carrying it , like an IT director who owns compliance or , like , a a GRC manager who's , like , buried in spreadsheets , you know , trying to keep track of , like , a 100 controls to get , you know , across different frameworks. You know , they spend their time sort of gathering evidence , instead of actually , you know , improving security.

And that part is what we really think have you know , people have it backwards. So day to day , you know , it feels like , you know , you're trying to survive , you know , a few times a year , not something that's really working for you.

And that and that's really the mindset , Andrew. You know , we're really trying to to , you know , flip.

You know , compliance is not a one and done. You know , compliance needs to be looked at as a marathon.

It is something that you are running , you know , continuously , and it's the long race.

Andrew Lynch

Yes. That's , interesting that you say that because I I recall a virtual client , in the aerospace industry who , is a GRC , you know , professional , also works closely with security and IT team , and they had shared that , you know , compliance , it should not be considered a a project.

It's a program. It's ongoing.

And the comment you make , which I think is a relevant one , it's that , you know , they are you know , security and compliance are not always the same thing too. Right ?

Christopher Lank

Yep.

Andrew Lynch

And there there are requirements to most compliances that you do need to meet , and those are important. But I always , you know , recommend to to virtual clients and prospects that while you're going through that , you know , looking at and considering , are are there easy ways to increase security over other approaches , is only a good thing.

You know? So that's where , for example , Virtru you know, we're often doing significantly higher level of security , than maybe what's needed for a certain compliance. But , yeah, I'm curious.

You know? Have you seen organizations begin to take a shift from just the , you know , time and place needed to meet a compliance to then seeing the importance of the ongoing maintenance.

Christopher Lank

Yeah. Yeah.

Because , a lot of the compliances now and in CMMC is probably one of the main things we're talking about today is it's not a sort of one and done , and it's not also this trust us. You know ? The government's really coming more with the trust , but we're going to verify.

So you're we're seeing CMMC is kind of the first , but a lot of these other ones like HIPAA , you know , mine just went blank there for a second. Some of those ones.

But they're starting to have more and more teeth to them , and so it can't be something that we just sort of pass under the rug. It's becoming sort of a line item in the CFO spreadsheet of this is a cost that we've gotta start building into what we do on a day to day basis.

Andrew Lynch

Mhmm. Yeah.

And so why don't we talk a little bit about CMMC ? Maybe for those who are not as familiar or just more still beginning their journey. Can you give us a quick snapshot of what CMMC is and what it requires and why so many contractors are maybe struggling still ?

Christopher Lank

Yeah. Sure.

So , in practical terms , the CMMC is the d , Department of Defense's way of verifying that contractors , you know , actually are protecting sensitive information they handle. There's three levels.

Level one's foundational. It's for companies handling , you know , federal contract information.

It's a basic self assessment against 15 practices. Level two is where most people are gonna fall into that category if they handle CUI.

And that's , again , controlled unclassified information , and it's maps a 110 controls against NIST data one seventy one. And then , level three is kind of the expert tier for the real most sensitive programs.

Here's the word that's really changed and really why it's urgent. And for years , you know , CMMC was , you know , it's coming.

It's coming , guys. You know , I was part of some of the original , you know , going out with , Katie Arrington and Stacy Bastianic because , you know , prior to COVID , they were out there speaking about CMMC.

And then it got paused , and then it kinda got going again. Well , it it's not coming anymore.

It's here. You know , phase one went live , you know , last November.

And , you know , right now , self assessments are required as a condition , you know , of award of some contracts. But the big one is phase two , which tend to leave right now still starts , I think , November 10.

And that's when most level two contracts , are gonna start requiring the third party certification from a c three PAO , not just , hey. We've got it covered.

Okay ? So lot of there's a few reasons why folks are still struggling. Again , before , all I had to do was have an SSP and a POA , and , technically , I I was good to go.

The DOD is estimating , and , again , this number kind of bounces all around. They're estimating , I think , between eighty and eighty five thousand , you know , contractors , are gonna need that third party level two certification.

Okay ? But here's kind of the kicker. The average company needs anywhere from eight to twelve months to get ready for this assessment.

Okay ? A lot of people are kinda waiting to the very last second to do this , and and I would encourage you if you're on this today and you're waiting , you don't have the runway that you think you have. It really does take that eight to twelve months.

Now if you wanna throw a ton of people and a lot of money at it , sure , you could do that. But the math is against you with this November deadline looming.

Okay ? And then couple that , there is only a limited number of c three PAOs. So we're starting to see kind of a a bottleneck that's gonna start forming here.

Okay ? But , again , sort of , you know , a deeper reason , and then we kinda talked kinda hit on it a little bit earlier. You know , level two isn't , you know , just about , you know , 100 you know , 15 or 20 things.

It's a 110 controls. There's 320 underlying objectives.

And for each one of those , the assessor wants evidence , not a policy saying , hey. I intend to get to this.

Okay ? A a lot of contractors have done self assessments over the years , and they're pretty good about giving themselves a generous score. I I think we all would if we were given that chance.

But they're now realizing that there's gonna be an independent third party coming through their door , and they're obviously just not gonna be as generous as everyone would hope them to be. So it's there there really is now the gap between we wrote it down and versus we can now prove it's running.

Okay ?

Andrew Lynch

Yeah. Thanks , Christopher.

And I know we'll probably talk a little bit about from both of our experiences and conversations types of organizations that we're supporting , and , you know , we we hear different estimates on either alternatives that they're looking at , other softwares , the actual audits. But as far as the cost of maybe not getting this done , you know , for those who again aren't familiar , what what's at risk , you know , for an organization that come , when CMMC level two is enforced in a contract ? If they're not ready , what are the implementations ? What are their limitations ?

Christopher Lank

Well , I mean , in simple terms , you're gonna be barred from getting the contract. I mean , in November , I'll give an example.

We do a lot of stuff on , you know , the maritime industrial base with the navy. And the new contracts for the new ship builds are coming out in November.

Those contracts are gonna be peppered with CMMC level two certification requirements. So if you're a supplier that is looking forward to some of those contracts and you don't have level two in place , unfortunately , you're just gonna be barred from even being able to bid on the contract.

That's the blunt you know , that's where it's at.

Andrew Lynch

Yeah. And so that's where , and and again , I I I empathize with I know that this is a a large feat , that organizations are going through an important one , to get to get right though.

But often , you know , from my perspective , being a sales professional , there's , of course , the upfront cost of purchasing things and and often it's either the CFO or an executive that's looking at , you know , I have multiple quotes for different vendors and I'm I'm I'm looking at the cost of meeting compliance is me purchasing these. But it's but specifically with CMMC , for example , it's not necessarily just that.

It's the , you know , they they may not be envisioning losing a contract that maybe they've been winning for the past five , ten years ,.

Christopher Lank

Correct.

Andrew Lynch

because no longer are they even qualified to even bid on anymore.

Christopher Lank

Correct.

Andrew Lynch

Well , that's , you know , from what I've learned , you know , slightly different than something like HIPAA or PCI or , you know , FERPA , for example. So let's transition , a a little bit here.

So we kinda talked about , you know , organizations at a high level know that they need to get this right. They know what the stakes are , but they're kinda often in this reactive cycle.

So let's talk what it looks like to actually kind of break that. So , Christopher , I know that this is in part what Ivis is is built to help with.

So could you just walk us through kind of what is Ivis ? What does it actually do ? What is it built for ?

Christopher Lank

Sure. Sure.

So Ivis GRC , at its simplest , is a system of record for your entire compliance program. It's a place where your controls live , your evidence , your real time status is all live in a single spot instead of being scattered across spreadsheets or SharePoint folders or people's email boxes.

So it it does a few things. We take frameworks like CMMC , HIPAA , NIST , CSF , SOC two , you know , whatever ones you're working against.

We break it down into the actual controls and the objectives that you're responsible for. Then we continuously track where you stand against each one of those , tying each control to live evidence , and really help you to flag gaps before an auditor or a prime , ever is ask you , you know , for the evidence.

So at any moment , you can answer the question , like I mentioned earlier , to where do we stand today , you know , with a real answer , not just , you know , a scramble. Okay ? Who it's built for , it's really any organization where compliance is tied to revenue.

I mean , on the defense con contractors , you know , it's CMMC. For health care organizations , it's HIPAA.

You know , anyone that's doing business with the government or primes who are having requirements passed down to them , you know , are part of the supply chain. And , honestly , it's it's really built for the small to medium sized business that may only have one to two , maybe three people , like , you know , an IT director or , like , a GRC person who's kind of , you know , carrying the entire load.

Right ? It it kinda helps turn that sort of tribal knowledge that's in one person's head into , you know , a system the whole organization , can look at and verify what's being done. So , again , it's not a place just to store documents.

It's really the operation layer for your compliance program. It's visibility and structure in one place.

Andrew Lynch

Thanks , Christopher. And you mentioned a couple acronyms.

I know with compliance , that's pretty common. But could you speak to from your experience too ? I know we've talked again at depth already about CMMC , but , you know , is it common from what you've seen that an organization maybe comes to you to help with CMMC that they need to meet other , compliances also ? And is that something that they're able to to use Ivis for ?

Christopher Lank

Absolutely. We have , seen over the years that most suppliers in the defensive industrial base are dealing with three to five different compliance programs.

And it can be OSHA , it could be conflict minerals , human trafficking. Obviously , CMMC is one of the big ones out there.

And , you know , the Ivis GRC is designed to kind of be Switzerland. It will handle pretty much any compliance program.

We've got a library of frameworks that are just plug and play , and they're able to get in there and start working on these programs.

Andrew Lynch

Yeah. That's , I I would say similar to Virtru.

You know , it' common where an organization will come to us for one compliance. It could be HIPAA , for example , or maybe CJIS , you know , and then we check-in with them or or upon onboarding , it's , you know , another department has identified a use case for another , compliance that they may need to meet or just in general wanting to protect PII , you know , sensitive intellectual property , with our encryption.

And so , that's also , I think , important in the flexibility of tools where , you know , it sounds like I know Virtru at least were not just built for CMMC. We didn't just come out when CMMC became a thing.

You know , we've been , helping to protect sensitive data for , you know , fifteen plus years now. We do support the intel community and the and the DOD as well as banks and state and local governments.

CMMC is , again , one that we're repeatedly having more conversations with because it's just newer. But it sounds like that's also similar to Ivis where if you were to get this for CMMC , you may need to meet PCI , for example ,.

Christopher Lank

Correct.

Andrew Lynch

or your your HR department is is wanting to align to HIPAA or maybe even needs to in some instances. So I think that's , pretty relevant between the two.

And so could you just walk us through , like , practically when someone does onboard , with Ivis , just , you know , what are they doing , you know , in the first month or two , and and what what are they seeing or feeling differently than than where they were previously ?

Christopher Lank

Yeah. Yeah.

Well , the first couple weeks , you know , it's mostly onboarding where , you know , they're they're pulling in their existing policies and evidence , and and self assessment into the platform and mapping everything against , you know , whatever targeted framework , you know , let's say CMMC that that they're gonna , you know , try to get compliant with. To be honest with you , it can be a little uncomfortable for them because it's really the first time the organization is kinda getting a real picture of the gaps.

Okay ? Gaps that they didn't know existed were kind of hiding in spreadsheets , and all of a sudden , on one screen , they can kinda see , oh , man. We're really not as far along as we thought we were.

Okay ? But the good news is there's a little bit of relief because the anxiety of not knowing kinda goes away , and it's like , okay. Now we know what we have to , you know , start working on.

So then , you know , the next thirty to sixty days , it you know , what we've seen is it kinda shifts from exposure to , okay. We got it.

We're gonna control this. They're able to prioritize the gaps , be able to , you know , give out , you know , tasks to owners.

Or if they have , you know , an MSP they're working with or consultant they're working with. They're able to collaborate with them seamlessly.

And then week over week , they can start watching their posture get better and better and better. And then I I think , again , one of the things that it a shift is , and I I know I keep harping on this , is with the small to medium size , it kinda stops being the one person's burden.

It's not just , you know , in one person's head. You know , the the program can be seen by , you know , the entire team.

Okay ? And then the one thing that we are trying to help suppliers get away from is the fire drills. Okay ? Because that's just disruptive on so many levels.

And and if we can help suppliers get out of that , we we've won.

Andrew Lynch

Yeah. And I think , you know , I I I appreciate that feedback.

It's similar to often kind of what we hear , you know , when we're talking to an organization , that's maybe looking into Virtru to help with , mainly the encryption controls around CMMC. You know , we are an encryption technology.

We encrypt data at rest and in transit , and , we don't try and say we do more than we do. But I think often in the CMMC landscape , organizations , that we're talking to , it's having to , you know , address the , hey.

We're we're not maybe as far along as we'd like , and we're we're we're okay with taking , some small victories , and we know that Virtru is not going to accomplish everything for us , and we're prepared for that. I would say that's what from what I've learned , a better fit for what we do specifically and in general , a better approach.

There are , of course , times and again , I I empathize with organizations needing to meet CMMC where they come to us and they're they're they're looking at our our control matrix and they're asking , well , what about the other 80 ? How do you help us evolve 110 ?

Christopher Lank

Yep.

Andrew Lynch

And it's hard to explain that , well , there's likely not really many , if any , companies that can actually do that. You're going to need to do some of this on your own.

You're going to need to may maybe purchase some other technologies. Often I've learned a lot of people have at their disposal already things that they could use.

They just have to configure them correctly. But I think it's just get getting beyond that hump of , you know , hey.

We're here to , address , getting compliant. We know we're not right now.

Christopher Lank

Yep.

Andrew Lynch

It's it sounds like that's a similar kind of , feeling that that you're seeing with your customers as well. But that's okay.

That's common. You know ? And then they're taking the right steps to to get there.

Christopher Lank

Yep.

Andrew Lynch

And so , I think we've talked a little bit about how , you know , IVAS can kind of help you have that view on where you are in your compliance journey , what gaps you need to address. Can you speak to though , like , on a on then , like , a daily basis from a a maintenance perspective ? How is someone leveraging Ivis ? Are they are they logging into a dashboard ? Are they getting alerts ? Is it helping to automate that ongoing compliance maintenance ?

Christopher Lank

Yeah. Absolutely.

So we do give organizations , you know , at a at a simple level , a dashboard. But I kinda push back on the word dashboard because a lot of people just think it's kind of a a pretty picture.

We kinda look at it more as like an instrument panel for your compliance program. It's meant to be used not just to every once in a while take a look at.

But what's on that is , you know , we give people sort of an overall posture score of whatever framework they're tracking , broken down by control family so they can , you know , see , you know , at a glance , like , access control solid , but , hey. You know , we've got some gaps we need to work on for logging.

Okay ? You know , it shows , you know , the owners , the due dates , you know , what evidence is current versus what's expiring , anything that's recently drifted out of compliance. You know , it it's really the answer of , you know , where do we stand today , but it's , you know , continually refreshed.

It's new daily. It it also , it's not just one view for one person.

You know , different people , are kind of at different altitudes within the organization. You know , you might have , you know , a GRC manager who uses it to assign work and things like that.

But leadership like a CSO, a CFO, or CEO, you know, they're kinda looking at a higher, you know, posture score , because, you know, they're the ones who have to eventually sign the annual attestation. And, you know, they wanna be able to see what they're signing off on.

Andrew Lynch

Mhmm.

Christopher Lank

K ? So day to day, the hands on folks, they're gonna be in there regularly the way that they should be. Again, going back to the marathon analogy.

And this is the thing that I would also put out there. Once you get your level two certification , in some way , that's really the beginning of the journey because you're gonna have to do this every, I think, three years, I believe, you go back to your certification.

So at Ivis, our goal is to get you compliant, but then to keep you compliant. So that three years from now, this is hopefully a less painful process.

Andrew Lynch

Yeah. And it's also you wouldn't wanna, as we hear about the cost, spend all this time and money achieving level two to then just kind of let it go.

And then three years from now, you're kinda doing the whole fire drill all over again. To your point, I do know it it is I believe also every three years with the C3PAO, every year in between you're doing the self assessment, needing to still maintain the the the the certification.

Christopher Lank

Correct.

Andrew Lynch

So, again, you're familiar in those. I think a lot a lot of them on the car call are with where virtual fits in.

Right? So we're we're taking a different approach to encryption where it's it's object level. We're protecting the data itself rather than just at the perimeter, you know, unlike maybe common, email gateway alternatives.

So even after the data leaves your organization, it's always under your control. You can revoke access.

You can set expiration. You can disable downloading.

You can audit the data , at any point in time. And so, Christopher, for from your experience where maybe an organization is using an encryption tool like, like Virtru, where does that data level protection fit into a compliance program? And is this something that organizations are accounting for, or are they often, having this be a blind spot for them?

Christopher Lank

Yeah. Yeah.

It actually is one of the more common blind spots out there, and it's really kind of for a subtle reason. Most organizations, when they, you know, they build a compliance program, you know, they think about security and layers.

You know, I've got my network, my devices, access controls. You know, they put up firewalls, they lock down logins, they segment the network, and that's all good.

But all that essentially is is building a wall around where the data sits. You know? The problem is that the data doesn't sit still.

You know, it moves. It goes out in like in an email.

It gets dropped in a shared folder. It gets sent to a subcontract or a partner.

And the moment it crosses over that wall , most of those controls stop applying. So the the data is out , you know , out there in the world , and you've lost visibility and control over it.

So from a a governance perspective , you know , data layer protection is the layer that travels with the information itself. You know , protection and audibility that that stay attached even after , you know , the data has left your environment.

And and and here's why it it matters frameworks like CMMC and HIPAA specifically , they don't ask you just to protect the CUI or PHI while it's at rest in your building.

They expect you to protect it wherever it lives and moves. So if your program stops at the perimeter , you've technically got a gap against that requirement , you know , even if your network security is excellent.

Andrew Lynch

Yeah. Thanks , Christopher.

And , I I think you made some compelling points that come up on conversations , even outside of CMMC with us too , where , you know , the the whole network perimeter based security , it's been around for a long time. Yeah.

In this day and age , it's not always going to be the most practical way. And when you're needing to meet a compliance requirement , I mean , you are truly just needing to meet that if that's what your only goal is.

And , you know , I talk to people where they're looking at how they're gonna meet CMMC , and they talk through what their data flow workflow is going to be , and and , they're confident , and maybe they've even been consulted that it would pass. But then my follow-up question is , but is that conducive to actually business ?

Christopher Lank

Correct.

Andrew Lynch

Right ? Again , it's compliant. Should be something that's helping you to generate revenue , not a hindrance.

You know ? So , I I think that's where with Virtru again , it's , extremely quick to deploy. You know , it attaching to your data really in any environment , whether it's internal or external.

So to your point , data is not just sitting in one place. It needs to be able to move.

You need to be able to collaborate if you're gonna win in this day and age , you. know , and and be quick.

And that's really , again , a differentiator , you know , along with just it needs to be easy , you know , where you're you're not having your extra recipients jump through hoops making accounts , making passwords to be able to access what you've sent them because you needed to do it this way to , again , meet a compliance where , again , where , again , yes , you did pass. You got the certification , but now no one's getting back to you because they can't figure out how to reply to you.

You know ? So , again , there's there's certainly trade offs , and and we we think those are important ones to consider. So , again , for those who are specifically just in in the audience for CMMC level two , could you maybe speak to , how , from your perspective , some of these are creating exposure , and and what are the auditors actually looking for ?

Christopher Lank

Yeah. And this is really where it gets , you know , concrete for the level two crowd.

It it you know , CMMC level two maps and this data one seventy one , the a 110 controls against the 14 domains , and a big chunk of those are specifically about protecting CUI wherever it lives and moves. So , an unprotected data flow , isn't just a vague risk.

It maps , you know , specific controls , so it you will be scored against that. It so , I guess , here's the exposure in plain terms.

CUI has to be encrypted both at rest and in transit , and the anchor requirement is that you use FIPS validated cryptography to do so. Okay ? If your CUI is leaving your environment in a regular email or a shared file with no protection traveling with it , it's really not a gray area at that point.

You're exposed against a few named controls. And , honestly , the the rule is not forgiving here.

You know , if the system touches CUI , it's in scope , period. There is no , you know , light version.

So every one of those casual data flows we've talked about that pulls more of your environment into the actual assessment itself. Okay ? You know , the assessors and , again , we know a few of them.

What are they actually looking for ? Honestly , you know , two most of the time , what we're hearing is two things. The first , is , you know , there's a difference between , you know , FIPS validated and , you know , FIPS compliant.

Okay ? If you're if you have a vendor that's giving you a data sheet on that , the assessor is gonna probably ask for a certificate to validate the modules. You know ? It's the you know , if you say to them , we're using encryption , it's really not gonna pass muster.

They're gonna be looking for proof. And then the second is really gonna be evidence.

They they're gonna want to see evidence against your SSP , artifacts , documentation , training programs. So there's quite a bit that they're gonna be looking for.

Andrew Lynch

Yeah. Thanks , Christopher.

I know that one big thing that comes up in conversations that I'm on is , also the FedRAMP requirements. So , FedRAMP equivalency is the baseline.

Virtru is FedRAMP authorized. And so what I've learned from the assessment community is that's also gonna just cut down on the actual assessment , where , they'll just be able to look in the marketplace and see Virtru listed versus with an equivalent tool having to examine the whole body of evidence for that tool.

Some other , you know , differences too from a a breach notification perspective for an example , but we we've really had organizations reach out to Virtru because they they really are looking for something that that is authorized. And , again , that's what that's what Virtru is.

So , I guess , why don't why don't we kind of , lastly , transition to again , Ivis and Virtru have known each other for some time. You know we're solving different things when it comes to the compliance landscape.

So from your perspective , Christopher , how would you think or see an organization maybe using Virtru and Ivis , complementing , the tools. You know , where do you see one beginning and the other starting ?

Christopher Lank

Yeah. It's a great question because I I believe we both generally solve two different halves of the same problem.

Okay ? The way I kinda look at it is Ivis is the system , the visibility , the structure , the proof layer. You know , we tell you what controls you're responsible for , where you stand against them , where your gaps are.

We hold the evidence that you're actually , you know , doing what you say you're doing. So we always kinda look at it as we're , like , the program level view.

The you know you know , what do we need to do , and can we prove that we're doing it sort of layer , if that makes sense. Virtru , in my mind is one of the controls that the program needs to point to.

Specifically , it's the data level , you know , protection , The encryption , the access control , that travels with your CUI or your PHI after it leaves your environment. So where we say , you know , you've got a requirement to protect sensitive data wherever it moves and here's the gap , You know , Virtru is the thing that actually closes that gap at the data layer.

And important most importantly for the auditor , it's gonna generate the evidence , you know , to show that that that's happened.

Andrew Lynch

Yeah. Thanks , Christopher.

And so , you know , you mentioned earlier that compliance can help to shorten , you know , vendor qualification cycles. Can you speak to any scenarios where having this sort of joint program , in place could actually help to accelerate winning deals ?

Christopher Lank

Sure. Sure.

And let me frame why that , you know , works first because it's a little sort of counterintuitive. You know , people assume compliance slows deals down.

Right ? More paperwork , more , you know , hoops to jump through. But in a in a vendor qualification cycle , the thing that actually slows you down is the uncertainty.

You know , an OEM's buyer or procurement group , you know , they can't really move forward with you until they're confident that you won't be a weak link to them. Okay ? And and anybody who's dealing with these crimes know they are so risk adverse.

They don't wanna deal with it. Okay ? So anything that resolves that uncertainty faster helps , you know , accelerate the deal.

Okay ? You know , if you're a company trying to land a a prime , you know , contractor , you know , you know , the prime's you know , security team is gonna send over the usual package to you. It's a long questionnaire.

They're gonna request your SSP , evidence how you handle the CUI. And the and the problem , Andrew , is it normally kicks off this horrible back and forth that can drag off for weeks.

And again , I'm going back to the fire drill , you know , because they want the contract. Right ? But they're scrambling to get all the answers , and that's a lot of times where it stalls.

Now an accelerated version if , you know , if a company is running Ivis with Virtru , they don't have to assemble anything. It already exists.

They can turn that questionnaire around in days because the evidence is sitting right there in their posture view. So when the prime asks the hard one , show us how you're actually protecting CUI in transit , you know , they don't have to go looking for it.

They can show the live control and the audit trail. And , you know , the prime goes , great.

These people have got it. They're ahead.

Andrew Lynch

I I really like that. Thanks , Christopher.

Let's actually transition now to some of the questions , just because there's been a couple. The first is , just kind of generic.

We haven't addressed this , but what size companies are we talking to ? Small companies have the burden mindset for one reason as example. The per cost for a small business of 10 to 15 is large , especially if a c three p o assessment is on the horizon.

So maybe we'll each kind of , give. our so I'll start with you , Christopher.

Christopher Lank

Yeah. So it it is a good question.

Look. The vast majority of the suppliers in the defensive industrial base are 50 people or less.

They usually , have anywhere from five to seven big contracts they're working on. Okay ? And , I'm not gonna sugarcoat it.

CMMC two dot o is a big ask , and it's a it's a heavy lift for a lot of these smaller companies , to do. It is I I hate to use the word burden.

Okay ? Because that's a lot of them are looking at this as a burden. I would like to kinda change the narrative on that and talk about that.

Number one , going through the process of getting your CMMC level two in place not only makes you a better company to go out and get more contracts , but from a security perspective , actually puts the the things in place. I mean , because if you have a breach , right , you know , you've lost , you've been hacked , or you've lost some CUI , you know , by law , you have to go to the DOD CIO's office within seventy two hours , and you need to , you know , tell them what happened.

Right ? And then that kicks off whole process of being audited and government agencies coming in. And if you have stated to the government , hey.

I I put these things in place , but when they audit you , it show you haven't done it. The risk even becomes more.

So , again , the burden mindset I would ask is is I I would kinda change that to we're putting best practices in place , not only to get us compliant to safeguard and keep the company protected in that respect , but also it's gonna give us a competitive advantage going for more contracts. Sorry.

That was a little long winded.

Andrew Lynch

No. Thanks, Tristan.

Yeah. I I can speak to , you know , from my perspective.

So , you know , I've been at Virtru for almost nine years. I've probably joined thousands of conversations.

We have over 6,000 clients in every industry. So first , just to address , you know , who we're talking to.

I mean , we have literally thousands of very small health care providers that need to meet HIPAA. It could be an office manager.

It could be a dentist. It could be a psychiatrist , that need to meet HIPAA that's been around for a long time.

So they most of them understand what it is and what their requirements are. I normally even share that with an organization that needs to meet CMMC because that that that right off the bat speaks to the simplicity of Virtru where , you know , when we're having CMMC conversations , they're they're usually a little bit more technical.

They're more specific to the level of encryption we offer , etcetera. And there are alternatives out there that are really just built for CMMC where we have people that buy Virtru that , you know , they don't necessarily know or care that they're using something that's end to end encrypted , FedRAMP authorized , FIPSE and 40 dash two validated.

They just want to send a HIPAA , compliant email and have it be simple for someone to open. So , again , we're not trying to , you know , over index , you know , making it complex.

We're trying to facilitate collaboration. On the CMMC side , though , similar , you know , we are working with organizations of all sizes.

So we we work with , again , very small manufacturers with literally one to two employees , two also some of the largest manufacturers supporting , you know , the , you know , our our US government , and DOD. So we have dozens of states , very large banks , etcetera , that are using Virtru for all different compliance purposes.

So that again speaks to the usability , but also how we're truly adding extremely high level of security and audit capabilities over your data. And I would say , again , I agree with you , Christopher , where it's it's really implementing best practices.

I I think with CMMC , what's just the difference is that it's the newer thing that's now gonna be checked.

Christopher Lank

Yep.

Andrew Lynch

You know , I I I haven't had many , recent conversations with health care providers where they're asking me what they need to do , where that is more common on a CMMC conversation , where they're just still looking into what are the requirements. So , yeah , I mean , in short , you know , it's most of the DIB is small organizations.

And , again , I I do understand it's it's and and , again , empathize where there is gonna be money spent. You know , Virtru nor any alternative to Virtru is probably gonna offset the fact that you're gonna need to pay a c three PO , you know ,.

Christopher Lank

Yep.

Andrew Lynch

Separately. And they're gonna charge what they're gonna charge.

And , you know , we'll probably see over time those costs go down as the barrier to entry is lowered. So Christopher mentioned there's still a limited number of them.

Christopher Lank

Yep. I I would actually add one more thing to that , Andrew.

It is that in this process , there really are no shortcuts. Okay ? And there are a lot of vendors out there that are kind of selling snake oil.

We can have you done in thirty days. I would just ask them to be very cautious of that.

This is a process. It is gonna take time.

And the c three PAOs , because they are the ones who are will eventually sign off that you have met , you know , all the objectives in level two , if everything is gonna go through a fine tooth comb , There's not gonna be any easy buttons. I know everybody wants the easy button , and I wish that we had invented an easy button.

The only thing that we can do is with , you know , companies like you know , and products like with Ivis and and Virtru is make it easier to go through. the process.

Andrew Lynch

Yeah. I agree.

I mean , that's a saying that that I find myself repeating , in conversations , often too , which is , if it's too good to be true , it probably is. It it truly is a journey.

That's another phrase you'll hear. And , the easy button to get it done quickly , you know , certainly , that's not always gonna be where VirTraffic's in.

We we are easy to implement , but we don't do everything. You're gonna need to address other controls that we just have nothing to do with , and and we tell people that.

And sometimes it's where we're almost the bearer of bad news there , but what we can say is from an encryption perspective , it's truly not going to be likely any easier where it's truly just a SaaS deployment. There are no new accounts , no new email addresses , no email gateways , no usernames and passwords.

And being FedRAMP authorized , we're definitely gonna help speed through that process , but we just don't do everything for an organization. We're not trying to say that we do.

And often , I've just learned from organizations that maybe switch from alternatives is , if if you if you see upfront that they're gonna cover it all , just as Christopher mentioned , make sure you do your research , do your due diligence. You know , make sure you're if you're using , it in conjunction with something like Ivis , it'll make it much easier to see what the gaps are , you know , what's gonna be in scope , etcetera.

Christopher Lank

Yeah. Well , yeah.

A good example of that is in , of our version of our GRC. If you're using , like , a Virtru or you're using , like , an Okta , some of these other groups that we've partnered with , you know , they have their shared matrix.

And and then that would be the one thing I would always say to anybody looking for a vendor is if they say we do all these things , ask for their shared matrix , and they should have that readily available. That essentially goes through all 110 controls and and hopefully down to the determine if statements as well to say , hey.

We handle this one. We share this one with you , or this one is uniquely on on you to do.

But we've been building in all these different shared matrix in there so that if you are using Virtru , you're gonna be able to see this is what Virtru has covered for you. This is what they're gonna share with you , and this is still what you're on the hook to do.

Andrew Lynch

Yeah. Thanks , Christopher.

And then we had another question just to get your take first move , Christopher. What's the right size for a company , small to medium , that are required ? Excuse me.

So , essentially , what would be the right size of a team ? I'm assuming this is maybe to be in scope for a small to mid sized company for CMMC level two.

Christopher Lank

Yeah. I I'm sorry.

Can you can you rephrase the question again ? I was kinda.

Andrew Lynch

The I think the question is is trying to get your take on if if we're a small to midsize company looking to achieve level two compliance , what's the right size of a team that maybe would be , maybe we'll start with to be in scope , and then why don't we transition to , then , to implement Ivis ?

Christopher Lank

Yeah. Well , I mean , to implement IVAS , you don't really need a team.

I mean I mean , obviously , you're gonna need a team to do the con you know , the controls and make sure , you know , they're putting the policies in place and the training and the artifacts and things like that. So for us , you know , we're a software as a service.

You know , you click a button and you're in the system. Now if you we we really kinda break this up into two camps.

There are organizations that have a very mature IT group , whether that's internal or external IT group. And those folks are pretty lucky because a lot of times going and getting the artifacts and making sure that these policies and procedures in place can happen.

Unfortunately , a lot of the small to medium sized companies maybe have a part time IT person. Okay ? And that's where things get a little bit rougher because normally.

This IT person , you know , checks our firewall. Maybe once a year does a pen test for us or , you know , does do some scoping for us , but that's it.

So if you're in that camp , you're just gonna start either get some more IT people and start leveraging that. There again , like we've just talked about , there's really not a quick fix for that.

You you're gonna have to get more people enrolled.

Andrew Lynch

Yeah. I would say similar with Virtru.

Again , we sell to , a dentist that it's it's them and their office manager , that are using the same software that a defense industrial based organization is using for CMMC. So you certainly don't need an IT team.

You don't need a team. You need you need someone to be the admin and install it , the plug in in your in your email or to just go to a website and log in.

But it's probably not gonna get any easier. As far as scoping , you know , the size of of a team to be included in scope , well , that would , of course , be determined by the organization and , you know , what their workflows are and who's handling CUI , etcetera.

So we wouldn't really ever be able to say a number , but , of course , it's common we see with organizations , setting up Virtru for a subset of their organization that are gonna be included in their their CMMC assessment. No minimum or maximum requirement.

We have enterprise organizations that are using Virtru domain wide , and we have enterprise organizations that are using it for five people , for CMMC. And that's.

what , right on our website. We're very transparent with our packaging also.

We have what we've heard , very transparent , easy to digest , and affordable pricing , for those compliance driven organizations , in the defense industrial base. So , I think that wraps it up for , the questions.

There was just another comment. Sorry.

The person said that they learned , differences between AES two fifty six , and FIPS validated. So , yes , CMMC , and in general , most compliances , there are some specifics , and , again , Virtru , we are using 256 bit AES symmetric key encryption.

We also are FIPS one forty dash two validated , FedRAMP authorized. But , yeah , there are some just make sure you're doing your research.

Make sure it's public that you're validating. Do they have the certificates ? Is it compliant versus , certified , authorized , etcetera ? That should all just be table stakes that you're able to do your research on before you even waste time taking a demo with someone that can't even have a seat at the table.

But make sure you're doing your due diligence there. So , again , thanks , Christopher.

For anyone interested in checking out Ivis , again , they are part of the virtual compliance champions program. So a partner of ours , who can complement someone in their compliance journey.

We don't do everything , but we hear what we do, which is encrypt data , rest in transit. We do that very well , but we wanna partner with organizations that can add additional value.

Just go to ivus. com and click request demo , and it'll go to a member of Christopher team , and Christopher may be even able to join.

And similarly , anyone interested in checking out Virtru , just go to vertru. com , and feel free to , reach out to us and learn more.

But ,.

Christopher Lank

Yep.

Andrew Lynch

Appreciate the time, Chris, today.

Christopher Lank

Yep.

Andrew Lynch

Any parting thoughts or anything you'd like to add ?

Christopher Lank

Just that you'll get through this if you have to do it. This is not earth shattering.

You will get through it. And we've got , you know , good partners here.

Not only , you know , partners like Ivis and Virtru , but there are a lot of good MSPs out there and and consultants out there that , you know , they generally wanna help you and get you , you know , through the process. And , the last thing I'll add is on our on our site , to if you haven't even started yet or just starting the journey , level one , we do have a free edition that never expires that you can get in there and dip your toes in the water and start the process.

And , again , we offer that for everyone.

Andrew Lynch

Yeah. Thanks , Christopher.

And yes Christopher email is just chris@ivis.com.

Well, thank you very much , again , for joining , Christopher. Thanks everyone in the audience for , joining as well and your questions , and we hope to be in touch with you soon.

And best of luck regardless of what you go with. And , again , kudos to all of you out there for actually going through this and doing it the right way.

But we would , of course , love to be a resource for you.

Christopher Lank

Yes.

Andrew Lynch

Take care.