A (5:51)

Yeah. So my therapist says I need to be more mindful of my feelings as we talk about the definition of information systems and whether or not hard copy CUI applies. This comes up pretty often. Okay, long story short, the way that I view this, I see this as the US Army Corps of Engineers making a risk determination that I do not think the department will agree with overall. But there's a lot of lag between when individual components requiring activities, program managers make decisions and then overall department policy that catches up to it. Right. Obviously it's taken a long time to get CMMC off the ground because people were making individual decisions saying, well, we don't really care to find out whether anybody's doing anything. So I think that this is a decision by the US Army Corps that I don't think that the overall department will agree with over time. I'm pretty sure that we would see an update to the FAQs, some sort of memo and or language in upcoming rule revisions to 32 CFR 170 and or the D DFARS clause for the CMMC program. That's what I think of at a high level. The other takeaway here, like you said, there's just not a lot of people that this edge case is going to apply to or really help out. However, it is a very important philosophical line that they need to draw because I feel like this is a interpretation that I can understand how they would get themselves to this. I can, I can see the chain of logic that they could use to get to this conclusion. And it's basically a game of regulatory telephone. Right? Because there is nothing in the definition of information system in FISMA itself, the legislative definition, that says that an information system is only a digital system. There is nothing in the corresponding definition of an information system. In OMB a 130 that takes FISMA and implements it for the entire government. In fact, A130 says the requirements of this circular apply to management activities concerning all information resources in any medium, including paper and electronic information. For those that don't know FISMA, OMB A130 FIPS199 FIPS200 853 derive it down to 800171 in the CUI program. This is the hierarchy of where these protection philosophies come from. But those that specific wording isn't carried over from one document to the next all the way down. And so we get this loosey goosey game of telephone to the point where what I feel like happened and we're definitely going to follow up on this in the future, we'll circle back in the new year is I feel like this is the equivalent of when contractors and their leadership teams hear cybersecurity, they think this is an IT problem, which as we know it is not. I feel like the US Army Corps and some other people are hearing cyber security maturity model and they're equating information systems to only digital assets. And that clearly is not the case because 3.8.1 is a requirement in NIST SP 800 171. Right? 3.8.1 is protect system media containing CUI, both paper and digital. You can go back to 853 to read where they got that from and then on and on all the way back up to fsma. Right, because there's nothing in information system that says it only has to be digital. So Glenda Snodgrass, friend of the show, friend of the Reddit, friend of the Discord servers, follow her on LinkedIn. She puts out great information. She had a great like one liner for this where she said this is going to limit your paper based. CUI limits your exposure, it limits your scope to a tremendous degree. It greatly reduces the complexity of your environment, but it doesn't remove the obligation to protect the data. And so because of this thing where people see CMMC as its own deal out on its own rather than a, a part of the overall protection of CUI effort, we're, we're losing the plot in terms of the Army Corps position here. And I feel like it's just going to take time for the guidance to catch up because that's the way these things work. Long story short, at this point, if you're a contractor, that's paper only downstream from the U.S. army Corps of Engineer. Live it up While you can. I mean, enjoy it while you can, because until they get smacked around from the department or something changes or whatever, which could be a while, this is their position. So enjoy it. But it clearly doesn't make a lot of logical sense because what happens if a requiring activity or a duty component took level 3 CUI. Level 3, like for all intents and purposes, straight up level 3 CUI. But they printed it and gave it to Lockheed. Just nothing applies anymore. Like it just doesn't matter. Like how often do we have conversations with people around printers in their environment? It's a huge pain. There's. There's requirements for it. It takes a ton of thought, but.

B (11:31)

One shredding requirements, like where it's going.

A (11:35)

To go next, right? Once I print, I have to worry about the printers, but once I print the data out, I don't have to worry about it anymore. Suddenly, because the data is hard copy, the department just doesn't have any assurance concerns over whether you're still protecting it. That clearly doesn't make any sense. The idea that I've got the paper, but I don't have a computer to go with it and suddenly the department doesn't want assurance that it's protected is clearly not the intent of what's going on. But if that's not clearly spelled out and there's wiggle room for interpretation and stuff gets lost in translation and lost in time and so on and so forth, then this is what. So in this case, it's a good thing for contractors because they're getting a big break, right? In some situations, like Fedramp equivalency, it breaks the other way where they go over restrictive away from what maybe their original intent was, and then it takes time for them to pull it back. So if you're one of the contractors that this is a situation for which there probably aren't very many of you, enjoy it, Enjoy it while it's around. I don't know how long it will be around. I don't think it will stick around, but it's a big advantage in the interim.

B (12:44)

And I mean, I'll say this, I don't want to bash anyone in in this podcast at all. There are a lot of incredible men and women in the DoD trying to do their very best. And they're reaching out to their own respective legal counsels inside the federal government, inside the DoD to make sure and validate some of these things. Right? This is not people saying things that started off the cuff. And so I do want to add a little Caveat to that. One thing I wish would happen is, is a couple things. One, I wish somebody from the DOD CIO's office would be present if at all possible and maybe be even proof the slides that are going to be presented about CMMC just so they can see if there's any clarifying points that they need to go update in the FAQ or inform somebody like the Army Corps, hey, that's not actually what we believe, right? And I wish there was a little bit maybe governance and oversight because if the FAQs would have been updated saying here's the stance of paper, here's it clearly spelled out, we're going to update the FAQs before your webinar. And I know, you know, time things take a lot of time to do, but like if there was some sort of regimented system like that where there's a proof and validation that yeah, what you're talking about, CMMC is accurate, or hey, that's a unique interpretation. Let's run it up to the CIO and validate that that is a stance that we're taking and is in line with the CMMC program. And then we'll collectively inform all agencies, sub agencies that hey, this is the way that we're interpreting this. Because yeah, the Army Corps could say this, Air Force could go say something else and say paper's not allowed. And so it's like you start looking at this and you're like, well, who do I believe, right? Do I believe the Air Force? Do I believe the DOD CIO's office? Like who, who has the ultimate source of truth here?

A (14:24)

And I think that what I would like to see is, you know, because to the Army Corps credit in what, what they said in the webinar is not that nothing applies to the data, they said that CMMC doesn't apply, but that the information protection requirements still do. So 7012 would apply, but the need for verification of 7012 would not. So this doesn't feel like there is. The Army Corps is saying, hey listen, when you're only dealing with paper based CUI, there's only a handful of physical protection requirements in 800171 and we're willing to accept the risk as to not tie up the need for C3PAOs to show up and verify just your physical information requirements. That's very different from saying CMMC doesn't apply because we're misinterpreting what an information system is defined as legally. Right? So I, I would like the US Army Corps to clarify that they're making a risk based decision rather than a definition based decision. Because if they're making a definition based decision, they're wrong.

B (15:37)

Yeah, I mean, that's a good call out. It's like, how are you coming to these conclusions? Right. The legal team say it's an acceptable risk or is the legal team somehow reading the definition of information system making a very different interpretation than what I would say the collective industry. And to your, to your point, Jacob, the founding source documents of what even got us here.

A (15:56)

Right. I think that's, I think that's probably what happened. I'd like to see them clarify that. So as soon as we get some clarification, that'll be, you know, the follow up that we do for this. But for now, if you're a contractor way downstream from Army Corps activities and you're only dealing with paper, then, you know, you got, you got a big break here.

B (16:15)

Yeah, yeah, congrats. Merry Christmas, you know, happy Hanukkah, the whole shebang, like. Yeah.

A (16:21)

And if you're, you know, if you're Lockheed Martin, just print it out and you know, send it in the mail and then who cares? You don't have to do any more assessments.

B (16:29)

I mean, I will say this. Construction companies especially, you know, they have people hauling gravel and concrete where they only will potentially issue paper copies because of this to allow those subs to not be fully in scope for CMMC requirements. Right. And so there are approaches and angles and justifications. I wouldn't say justifications, but there's a reason behind why the Army Corps is taking this risk is because construction has a lot of legacy subcontractors that honestly, paper copies might be acceptable for the work that they're doing on a daily basis. And so again, like, we're not here to say good judgment, bad judgment per se. We're here to say it's still confusing. We're here to say that we would like some clarification around how this conclusion was drawn. And I would even say I'd like, you know, the CIO's office to even state maybe an updated FAQs. If this is a collective stance of the CIO's office or is this just the Army Corps?

A (17:26)

Right. Because you know, we've got, there's a whole list of concessions that the DoD has made to industry over the years. If you're only a COTS based procurement and, and you handle cui, the requirements don't apply to you. If you are below a specific size of acquisition and you deal with cui, the requirements don't apply to you. If you do have the requirements that apply to you and you're dealing with a cui, some of the controls can go unimplemented for six months because the department is willing to accept that risk. The department will allow people without certification to bid or on contracts and come right up to the point where they need to award that contract because they're willing to accept the risk that you'll be ready in time rather than just cutting you out of the bid process altogether. We've had extensions on implementation times for DFAR7012 for a really long time. There's been all kinds of concessions to industry. So this could easily be a concession to industry where they're like, if you're only paper, you still have these physical based requirements, but we're not going to tie up the C3PAO system because it's just not worth it in our determination. Just don't feel like that's how they reached that determination. So if, if it wasn't, you could just come out with your official statement in conjunction with the DOD CIO and say, that's what we meant all the time and we'll call it good. But if you come out and you say, well, a covered contractor information system as defined by DFAR7012 doesn't have to be digital, but the applicable system for CMMC is only digital systems, then you're misreading the relationship between these two regulations. And that's something that at the very least the rulemaking should clarify the next time around. But there you go, everybody. That's what's going on in terms of what's happening. Great news if you're paper only. And another fun philosophical debate that we'll be able to pull through into next year and then, you know, hopefully into public comments through the CMC revision and rulemaking as we get to that next year. Daniel, always good to see you. Thanks for the notes from the webinar. What do you guys think in the, in the comments? Do you think paper based CUI should have a CMMC assessment? Do you think it doesn't apply? Is an information system only a digital system? Does an information system include paper? Let us know because apparently this is an open debate like and subscribe and we'll see you next week.

B (19:49)

See y'.

A (19:49)

All.

B (19:58)

Sam.