In this episode, get to know a few of our diverse group of CMMC Registered Practitioners, also known as “RPs”, many of whom you may already be familiar with as they have been consulting with Redspin’s healthcare division, CynergisTek. Each RP you meet in this episode will give us a glimpse into their professional backgrounds including their involvement in holding various positions with the U.S. Military, and extensive experience working with NIST, FISMA, and other cybersecurity frameworks that aid the CMMC process.
LAUREN FRICKLE: Welcome to Cyberspin, the podcast that brings you expert insights to today’s hot topics in cybersecurity, privacy, and compliance for highly regulated industries. Subscribe to Cyberspin on Apple, iTunes, Spotify, or your preferred podcast platform and a transcript of each episode can be found at www.redspin com. Welcome to Cyberspin, I’m Lauren Frickle, here to introduce this episode today. We have Redspin’s Registered Practitioners with us and we’re going to take some time to get to know who they are and understand some of their outlooks on CMMC. Before we begin a little background, the US Department of Defense, the DoD, has implemented CMMC which stands for Cyber Security Maturity Model Certification to help combat the estimated $600 billion in cybercrime losses that impacted the nation’s military supply chain. CMMC will serve as the unified standard for implementing cybersecurity across the Defense industrial Base (the DIB) by requiring DIB contractors to meet varying levels of certification that is determined by the type and sensitivity of the information that the DIB contractor needs to protect. Today, we have our registered practitioners or RP’s with us. An RP’s duty is to provide advice and recommendations to their clients. So, they are the consultants that DIB contractors who need a CMMC certification will be working with. Please note, RPs do not conduct certified assessments, they deliver non-certified advisory services that are based on their rigorous training. So, we thought you, our listeners, would like the option to get to know some of our RPs as you will likely be working closely with them throughout your CMMC process. Without further ado, I’d like to introduce Rob Teague, a standing favorite guest of the Cyberspin Podcast, and RP himself to help introduce and get to know our complete group of RP’s. Hello Rob, how’s it going?
ROB TEAGUE: Good morning, thank you and thank you everybody for joining us today. Welcome back. You are sitting in on our weekly meeting that we do every Wednesday where we catch up on the latest CMMC changes and then we kind of discuss our way ahead for the next few weeks. But this is about our Registered Practitioners. So basically, I think what we’ll do is start this session with Colin Frahm. Colin, please tell the listeners a little bit about yourself.
COLIN FRAHM: Yes, my name is Colin and I’m an RP with Redspin and a little bit about my background is, in the late 90s I worked for Lucent Technology Services as a security consultant, security application trainer, and an assistant project manager. Projects included the worldwide deployment of a centralized DNS management system for the Army, a root of army.mil, which was the first time that they had a centralized DNS. As a training project manager, a trainer and it included support software like ESM which is still being used by the Army, and basically, I traveled all over the world to the Knox and military bases to train people on how to use the Army DNS. I also was part of a three-person project management team to design new networks, servers, and desktops for two Navy battlegroups which included two aircraft carriers and another 12 ships. And I can tell you one thing I learned about that, pricing out and stringing fiber between watertight compartments is really, really tough. One of my specialties is working with small companies and getting them into compliance, but at the same time dealing with the complexities of very large corporations with thousands of nodes. So basically, I’ve been working as a consultant since 1996. I started working with NIST in 2000 and started doing NIST 800-53, FISMA audits in 2006, and did CMSRs for 5 years starting in 2013.
ROB TEAGUE: Awesome, well as you can see everybody Colin is like very versed in the DoD space. When you’re talking about the fiber running through the ships, yeah, I had to run similar antenna wires through M1 tanks, and yeah, that was. That was a lot of fun. Thank you, Colin. Appreciate it. Next, let’s hear from Nate.
NATE XAVIER: Alright, thanks Rob, not sure I have quite the same background that Colin has to share. I’ve been primarily with CynergisTek for just over 11 years now. So, I started back when we were still a tiny company by all standards and have served in the capacity of different roles both on the ops side as well as a consultant. Most of that time has been, you know, working with clients both at the strategic and tactical levels, helping them identify controls performing assessments, or working through cybersecurity strategy with their executives. Before that, I spent 4 1/2 years in the Marine core, primarily in logistics-related roles, but I did spend a fair amount of time with the com shops. So when we talk about laying fiber while it wasn’t my primary job, I was part of the battalion that led the Marine Corps re-entry into Afghanistan and helped lay a lot of the groundwork for our network out there. From a personal perspective, most of my time is spent chasing my two children around being being 5, and younger and trying to keep them out of trouble. Beyond that, I really enjoy reading. I consider myself more of a lifelong learner if you will. One of the more interesting things that, or at least I think it’s interesting, is I do a lot of genealogical research, so I’m I’m kind of a history buff myself, but I also I spent a lot of time specifically focusing on the genealogy side of things.
ROB TEAGUE: Awesome, I appreciate your time Nate, and thank you very much. Next but, Jessica Arrington No she’s not related. I’ll let her introduce herself.
JESSICA ARRINGTON: Thanks, Rob. As Rob said, my name is Jessica Arrington and no, there’s no relation to Katie Arrington for those of you that are wondering. My background is colorful. I’ve worked in various industries, including I served in the United States Air Force as an officer. Working on the simulator program. We worked on standards and security trying to get all of the simulators with the varying levels of security the pilots have to have, you know with the controls and in the cockpit and things like that. Trying to get all those to talk together without giving up the secrets of the airplane. So that was cool. I also got to fly in the simulators when we had some downtime. Also, like some of the projects we were working on, so that was pretty fun. I also worked as a civilian working on the Total Army Distance Learning program trying to stand up that program when it was in its infancy. So again, another cool program for the military dealing with IT and various contractors working with them. Most recently, I worked as a network engineer serving the IT needs of small and medium businesses in the local area because I was living in a small town. I’ve been with CynergisTek for the past six years as an information security consultant, most recently now on Redspin serving as a Registered Practitioner. For CynergisTek, I was performing risk assessments using the HIPAA security rule and the NIST Cyber Security framework, so I’m well versed in that. Some of the things I like to do in my free time when I do have free time is I enjoy hiking and camping, anything being outdoors in nature, and having some peace and quiet. Having a 14-year-old son is never quiet, so being out in nature and just hearing crickets chirp is kind of my happy place.
ROB TEAGUE: Awesome, thank you. I didn’t know you worked on the Army distance learning training. That’s interesting. I’m learning just as much as our listeners are, so that’s awesome. Thanks, Jessica. Next, we’ll move on to my man, Keith.
KEITH MCDONALD: Alright thanks Rob. Yes, I’m Keith McDonald, you might hear a little bit of a twang, I’m originally from Mobile, AL, and also being from Alabama, I’ve worked on some DoD contracts in that area. First where I got the start of my professional career was down, in Pascagoula, MS at Ingalls Shipyard as a systems engineer helping build some of the LPD class ships. Then after that, I went up to Huntsville. Spent some time in Huntsville working on army contracts. Then after that, I got a wild hair and moved to Colorado and started doing some Air Force contracts, so that’s a little bit of my DoD background. Before I started working here at CynergisTek, where I primarily been a consultant for the healthcare industry. Just like Jessica said, performing risk assessments primarily with the NIST Cybersecurity framework and also the HIPAA Security Rule. I’ve also got a bit of a background in penetration and web application testing that I’ve done for industries such as baking, healthcare, telecom, and also web development companies. One of the things that I like to do is am a private pilot. I’ve got over 75 hours in a Cessna 172. Hope to someday be able to own my airplane, and I also enjoy camping, kayaking, hiking, mountain biking and I really enjoy the outdoors.
ROB TEAGUE: Awesome, well thanks, Keith. Then next is Fadi, Fadi hit it.
FADI ATIYEH: Thanks Rob, my name is Fadi Atiyeh, and I’ve been in the IT industry for over 30 some years and with information security or cybersecurity since 2001. I’ve started with shared medical systems, Siemens, and also the Cerner Corporation and I’ve been to hundreds of clients and I think I’ve stopped counting over 200 plus data centers where we review the environment, various technologies including cybersecurity, obviously. I’ve been with CynergisTek for close to two years at the capacity of a consultant, a VCISO, and now with Redspin as a Registered Practitioner. Some of the challenges that I see with the CMMC in terms of clients and the organization seeking certifications (OSC) are obviously the changes getting to understand all the changes and requirements in addition, regardless of how large or small organizations are, they all face the same cybersecurity challenges regardless and as such from experience, we see how smaller organizations tend to fare not as well just due to lack of resources and funding If you will. That’s a typical scenario if you will, but hopefully, as requirements become more and more clear, those challenges will be overcome. In terms of some of the fun things that I like to do in my personal life. Well, I don’t have a whole lot of time between cybersecurity and what we do as an organization, but I do have three boys and they especially keep us very busy from sport. My older two who are in their early 20s and now they’re into cars. So we modify cars whatever time I have left, we typically spend on, you know, putting turbos into vehicles, doing all kinds of interesting stuff.
ROB TEAGUE: That is an awesome and great point for our OSCs out there. Last but not least is Jaime, so those that know me and know my humor Jaime is like my brother from another mother, so I may take it away, buddy.
JAIME CIFUENTES: Thank you Sir, and just so you know I did check with Mom and it is another mother she didn’t claim you it is a pleasure to chat with you all. Whereas Jessica said that her background was colorful. Mine will be black and white ’cause it’s nowhere near as exciting as what you’ve heard from the rest of the team. My name Jaime Cifuentes, and I’ve been with CynergisTek for a little over two years. Before then I was the acting Director and Infosec officer for the University of Alabama in Birmingham, and before then I worked for one of the largest organizations healthcare-related here in Alabama with Huntsville Hospital, and I shared that because all along that time I was also running my own Consultancy helping smaller businesses and some governmental agencies deal with IT-related security issues and all of that goes on with trying to contend with the lack of resources that Fadi alluded to, and so I I pride myself in not just being bilingual, speaking Spanish, but I also speak “regular folk on the street” and I know what little businesses have to contend with, where the one guy that might be the accountant is also the secretary and also the cybersecurity professional and everything that goes along with that. And so I get that. So I think it is one of my superpowers to be able to speak all of those languages as needed for folks. I don’t know that I would say that I’ve got a great deal of free time because my free time is also my work time as I see it. I listened to Nate talk about him being a lifelong learner and that is one of my passions. And because of that, I end up volunteering and I end up doing a lot of things related to the job. So I’m currently the healthcare sector Chief for the Infragard chapter in North Alabama. Have been for a few years. I’ve served on the Board of ISSA. I have served on the Board of ISACA for several years also and have some of the training that each one of those is going to sessions provide. In addition to that, one of the things that I enjoy doing is teaching. So I’m adjunct teacher for when the local colleges here in in town. I’m in Huntsville, AL and I teach cybersecurity, and network design, network implementations, and a couple of other classes, and I also volunteered to teach A plus and network plus two people who have been rescued from the sex trade to help them re-enter great into society and it’s very rewarding to do that. On the side of actual fun, I enjoy photography. I won’t mention long walks on the beach, it seems like this is not the right avenue for that, but yes, I do. And long extended kayak trips, camping, and chasing after my one-year-old lab. Which by the way turned one-year last week and graduated from star class last night! We had a big party last night and that is what I had to share about me.
ROB TEAGUE: Awesome, thank you, my man. Congratulations to the pup. He’s done well. I know he’s been working through that school for a while.
JAIME CIFUENTES: He’s been sitting right here very quietly, by the way, he gets a treat for that.
ROB TEAGUE: Well, everybody, that’s our registered practitioners real quick. I want to tell you a little bit of background on Thomas Graham who couldn’t join us. He’s our CISO for CynergisTek and he is also prepping as we speak right now for the inspection of our network to be certified to go forward to do consulting and the certifications. So yeah, he’s a little busy. Also a little background for you, so most of these folks. Like I said, I’ve known for a while. I do have to tell you Jessica was the one that was one of my interviewers when I came out of the military as a retired command Sergeant Major, and I will never forget and I got to share with our listeners that she asked me “if a client says they can’t use multifactor authentication on their remote connections. What do you tell them?” And as a retired Command Sergeant Major, I said “you need to get it” and she was like no, that’s the military answer that’s not the civilian answer so she cracked the whip on me and turned me from the military transition to the civilian. She played a vital role as each as has each member here so. I gotta tell you, and you’ve heard it here. Their backgrounds are very solid. They’re very versed in the DoD industry as well as other industries across the realm. And I thank you guys for your time. And with that, ladies and gentlemen, these are the Registered Practitioners of Redspin, so I will pass this back to Lauren and thank you guys for your time.
LAUREN FRICKLE: There you have it, folks. You got to know our awesome and unique group of RP’s. Lots of diversity there, so thanks very much for listening, and remember to like and subscribe to this podcast.