Koren Wise: CMMC, FedRAMP and Mastering RFI Response (Podcast Transcript)

[00:07] Richard C. Howard: Hey, guys, Ricky here with the DoD Contract Academy. I'm here with Koren Wise of Wise technical innovations. Did I get that right, Koren?

[00:15] Koren Wise: He did.

[00:16] Richard C. Howard: Okay, because for everyone listening, I got it wrong when I first pictured, and I shouldn't have because I've known Corn for a long time. So hey, it's great to have you on here. Here finally.

[00:25] Koren Wise: Thank you for having me. I'm excited about it.

[00:27] Richard C. Howard: No, this is great. We've known each other for a while. We've done some work within the DoD contract academy. You're actually in some of our training videos from some of the past calls we were on, which is really cool. But I really wanted to have you on because I think you are a great example of a business that has already started the process of trying to sell to the government and putting all of the procedures in place and just kind of letting people know where you are, the struggles you've had and the successes you've had. And you have a really interesting niche because I don't want to completely focus on kind of where you are trying to sell to the government. What you actually do is going to benefit a lot of businesses, especially if they're involved with technology, software in any way selling to the government. And those that are and are listening to me are probably well aware of the questions you get from the government involving the FedRAMP process and CMMC and that's core and specialty helping companies through that as well as some other things here. So, yeah, if you're ready, I'm ready. Maybe we could get into it, but maybe start with you, like, who are you? Where are you from? And why are you doing what you're doing?

[01:41] Koren Wise: Great. Well, I am a Navy brat from Virginia Beach, Virginia. So both my brother and father are retired officers from the Navy. And I'd say in around 1999, my dad had just retired and gone to work for a DoD contractor in the area. And I was a high school chemistry teacher. And he was like, you really need to get into this Internet thing. I think it's going to be very big.

[02:05] Richard C. Howard: He was right.

[02:06] Koren Wise: He was right. So he offered me to come over to the company that he was working for, and I kind of dove right in right away. It was like the first time that the MCSE or the Microsoft engineering curriculum was coming out and Cisco engineering was starting to be big, and that's kind of where my roots are. So from there, I was good at passing tests because I just gotten out of college recently. And so I became a paper certified person with not a lot of experience. But that changed as I began to get put on more and more contracts. I started getting under the wings of some really talented networking systems engineers and eventually got good enough to start teaching the higher level courses to other people and going out in the field, and that continued throughout my career. I've just always been partially in the classroom as an instructor and then out in the field as an engineer. I love the blend of the two, and no matter how hard I try to get away from training, I still end up deeply involved in some type of training. In 2004, I decided to start my own business here in Norfolk, Virginia, where I moved after I graduated from ODU with my Masters. And so I I was doing a lot of, you know, deployments of products at that time, a lot of solution development. I've had a lot of good local government contracts here and a lot of contracts with medical groups or important health functions in our area. And so a lot of that was from year to year, it would change. One year, it could be a really good Cisco engineering year with routing and switching work, and the next year it could be a really good SharePoint year. But I was kind of all over the place. So I decided about right before COVID a few years before that, that I wanted to just zoom in and focus on what I love the most, which it seemed like a lot of my work had begun gravitating towards security work. And so I knew that I needed to at least get a few things under my belt to be taken seriously in that world. So I went and worked on my CISSP at that time and did a lot of studying, whether it was certification related or not. Just a lot. I don't think I've ever studied or read so much as I have in the past five years. I just began to zoom in on cyber-security, but how my history could really offer the most in that field. And when I began to learn about assessments, I was like, wow, this is a right up my alley because I have such a strong technical background. And then I've got this other experience that makes me very relatable to people. And so as soon as I found out about all the world of assessments and how it worked and everything else, I was just that's it. That's what I know. This ties together everything that I've done so far in a really nice way. So that's what led me to really getting into the assessment side of things.

[05:03] Richard C. Howard: I find it interesting that you had parents that were in the military. This is at least a trend item amongst some business owners that I had someone on in the last episode. He's the founder of Govly, and his parents were both in the military. And so versus going into the military, he kind of focused on the public sector. But one benefit that he had was that he kind of understood the language he was used to hearing some of the acronyms. Did you find that you had that advantage as well?

[05:35] Koren Wise: Just kind of yeah, I definitely feel that way, and I feel that you gravitate towards it because you have a love of service. You just have a love of country. And although I didn't join the military, there's always this part of me that either thoroughly enjoyed working for the DoD contractor that my dad was at. That’s where he was vice president of that company. But then after that, just always when I've been teaching, loving my military students, and just always having that need to it's just like home, because that's what I've been used to my whole life between my dad and my brother and all of our conversations and everything that we talk about.

[06:13] Richard C. Howard: Sure. Did you guys move around a lot growing up?

[06:15] Koren Wise: We did not have to move around a lot. So I was born in Italy, but after that, he was stationed in Virginia Beach for quite a large portion of his career. He was lucky. We did go to California for a bit when he was on the Enterprise, but other than that, we really did not have to move around as much as most people do.

[06:33] Richard C. Howard: Okay, well, that's good, especially for the Navy. It seems like a lot of people end up in California, but military in general, Virginia, there's so much going on there that it's pretty easy to spend long periods of time there and get multiple tours. It sounds like you had some stability growing up, which is nice. And then you also mentioned I think you said you were a high school teacher at one point. Did I hear that correctly right?

[06:59] Koren Wise: I was a high school chemistry teacher for about, I was only, say, 23 teaching 18 year olds, and I had three different chemistries. I had remedial advanced and regular, so I had three different preps, and it was a hard, hard job. I was working a lot of hours, a lot of night hours. And that's what made me tempted when my father said, hey, you should come over here and try this. I loved teaching. I absolutely loved it. I was put into a rough situation for those first two years that made me a little tempted to try something different.

[07:33] Richard C. Howard: Okay. No, that's interesting. Is there a and this is just a side note because you mentioned you're a chemistry teacher. Is there a rack and stack among the teachers? Like, I'm a chemistry teacher, so I'm, like, at the top tier, and maybe, like, the gym teachers or the English teachers are lower on the total book.

[07:47] Koren Wise: Yeah, I mean, when I was walking in in the morning and my best friend was a gym teacher, and he had a lunchbox, and I had, like, the suitcase of ten books behind me and a bunch of papers to grade, and he just laughed at me, like, yeah, we're getting paid the same.

[08:00] Richard C. Howard: And I think it's interesting because when I was in the acquisitions world, on the Air Force side, the engineers all had like this rack and stack, kind of this fun banter between them where the mechanical engineers would get picked on, like, oh, you guys are kind of the lower tier. You're not up to where the chemical engineers are.

[08:18] Koren Wise: Right.

[08:19] Richard C. Howard: And that would go back and forth, but they all got paid the same in the end, just like your friend, it just didn't matter. Well, cool. So I can't blame you for wanting to kind of leave that and kind of vector towards something in the government contracting space. Definitely, at least in some regards, I would think less stressful than having to teach a bunch of high school kids, okay, great. So now you made that Pivot and you started working in that realm, and eventually you kind of found your sweet spot within cyber-security and assessments for everybody listening that's not familiar with CMMC and FedRAMP. Maybe you could talk a little bit about what that is and maybe just to kind of set the stage because as you know, we work with a lot of companies through the academy. I work with a lot of companies consulting since I've gotten out. And even from my perspective as an acquisitions officer, I can remember very clearly finding solutions, software solutions to problems that we had. And I talk a lot about the first couple of questions the acquisitions officer is going to ask themselves, right? So do they have money? Is this a requirement? Right, which is they're not working on if it's not a requirement, usually do we have funding? That can be a little bit more tricky. How can I put this company on contract, which is the contract vehicle discussion? And we can talk about that if you'd like to, but then right after that, especially if it's a software, if it's something that has to go on a government system or in the cloud. Now I'm asking, does this company have an ATO anywhere? Have they been on contract or they have an approval to operate? They don't have an approval to operate. Have they been through one of our cyber-security processes? If it's an existing product, does it have different certifications that can make this easier for me to get an approval? Because that approval process can take a long time and if you're trying to solve a short-term problem, that can be a big stumbling block. So setting that stage, why don't you tell us a little bit about FedRAMP and CMMC?

[10:30] Koren Wise: Good I'd love to do that because there's a lot of misinformation out there about CMMC, number one, where its roots are, and then also whether or not it's really going to happen. So on a daily basis, I speak with companies that feel the heat coming, and they feel it really coming now. And I'll talk about that too, but you talk a lot about Defars on your show and the Federal Acquisition Regulation. And what a lot of people don't understand is that this has been in the Far for a long time, and people have been signing that they are doing it for a very long time. So in the DFARS clause, there's a 7012 is what we call it, where they basically attest to the fact that they are doing 800, 171. 800, and 171 is 110 basic cyber-security controls is what they call it. And its origins are from 853, which has been used in the DoD for a very long time. But the security controls are grouped into families. And anyone who's on a DoD contract right now, anyone, every contractor in the United States who's on a DoD contract is already writing and signing the dotted line that they're doing those 110 controls. So you talk a lot about signing things and reading them and it's funny how people feel like CMMC is something new. It is not new. The only thing that is new is third party assessments. So in the past, the government was allowing DoD contractors to self attest is what we call it, and they were doing so through the SPRs system, which is the supplier risk performance system. And they are able to just kind of go through the 110 controls in 800, 171 and say, yep, we're doing that, we got that. We, we did that. You know, I mean, and every DoD contractor, most of them anyway, are just checking it, oh yeah, yeah, we got that, we got that, because it goes into SPRs and it's something that's looked at right alongside with their past performance. It's in the exact same system with their past performance. And that's what that system is meant to do. It's meant to help the acquisitions officer kind of figure out or gauge the level of risk associated with a particular contractor. We said that was 7012 and it has its iterations, but it comes up to 70 21, where they say in 2019, this is going to be a thing, there is going to be a program called CMMC, where there's going to be a program, there's going to be these third party assessments every three years. Because what we found as they went out, and I think this falls under DCMA, I can't remember for sure, but they went out and started looking at the companies that had these 110 scores and of course they found that they were far from 110. And so that's where the origin for CMMC comes from. And a lot of people don't realize that they were supposed to always be doing this and they get upset that they have to do it now, but really they should be more concerned with false claims and things like that. Because the government actually has come out very loudly lately and said, if you are putting incorrect scores in there, you could be held accountable. And so the next thing that you get with all this is that a lot of people don't think CMMC is really going to happen, but it's well underway and it's going to happen. And the first chance for rule-making to be complete comes up this March and it looks like they're on track. So it looks like rule-making for CMMC will be completed, which means it can begin to be worked into contracts after the 60-day comment period. And so they're not going to do that. It's not like every contract the next day will have this wording in there, but you will start to see contracts with the CMMC requirement. Just like contracts say, you have to have a facility clearance or you have to have this clearance or that clearance, it'll be no different. This will just be a section that says this company must be level two certified. And that would be because the contract has cui, which is controlled on unclassified information. And then if they're not working with contracts that involve controlled unclassified information, they will just have to get certified at level one, which is 15 controls, a little bit easier to tackle, but many, many contracts have cuis. So we're talking about a huge portion of the defense industrial base that will need that level of certification. And so it doesn't matter what DoD does because it's already happening. Primes don't want to they're worried. They don't want to do business with companies that don't look like they're going to be able to become CMMC certified. So we have a lot of companies coming to us because they're getting pressure from the Primes. It does matter when DoD puts it in the contracts, but I can tell you it's already here because the Primes can do whatever they want. And if they want to say, we're not working with you unless you look like you're able to get this level of compliance, then they can do that. And so it's going to shake things up a little bit, I think, once it's fully underway, because it'll be interesting to see what happens if rule-making doesn't work in May or if they need to delay it. It would be delayed a year and then it would most definitely happen the next year.

[15:56] Richard C. Howard: I mean, for small businesses, this really makes a lot of sense, hitting it now and knocking it out. Whether or not this comes to be in March, like you were talking about, this is going to make their case for not only Primes putting them on contract, but also for the government. So if you picture five companies coming in and they all kind of sell something similar and maybe one of them has been assessed for the CMMC requirements like you're talking about, that's going to give at least confidence on the other side, like, hey, this company at least has put something in place, it's been verified. And if they are not ATO Honey System at least that gives me a little bit of confidence that we can get there right. We're not starting from scratch. And like you said, a lot of companies are on contract and they have these clauses in there, and a lot of companies don't even read the clauses or understand them. Right. So I shouldn't say that offhand. Companies just sign any contract and a lot of times they just don't understand the quantity exactly.

[16:59] Koren Wise: No, you're right. And it's not that anyone's purposefully. And there's actually a lot of back and forth right now where contractors are calling out to the DoD for help. There's things like Project Spectrum, which is supposed to help small companies to get to where they need to be. And I know that there are going to be efforts to try to help companies get to where they need to be, but it is quite the steep uphill battle for some companies, and it's just for a company of one or two people. It's a lot to do, but there are ways to do it that are much more simplistic and cost effective than other ways. By the way, as far as what we do in the CMMC ecosystem, and I should have said this before I got started, I was accepted into the Professional Assessor and Instructor Program. There's about less than 200 of us in the United States right now, and this was before they actually were ready with the official certifications for assessors. And so they had these requirements and you could apply, and if you got in, you would be in that first swing of assessors that is going to help with the assessments when they're underway. Right, but I'm actually a candidate because I'm waiting on suitability. That's all that I'm waiting on. And a lot of us are waiting on suitability. So just like other clearances, we have to have a clearance for that, and they're taking a long time. We're also a licensed training provider for the CMM Cab, so we're an official licensed training provider. And I would say if somebody was trying to figure out how to really do this on the cheap, the best thing they could do is send one of their people to that training because it does two things you won't get ripped off by. There's a lot of people out there trying to prey on the fear of companies that are scared about CMMC compliance, and they're not really doing what they say they're going to do or getting them to where they need to be. So if you send somebody to class, you learn about the whole thing front to back, back to front, and you can't get taken advantage of. And the other thing is, you can do a lot of it yourself. After you get out of that class, you're much more confident, like, hold on, we could knock out a lot of this without hiring anybody.

[19:08] Richard C. Howard: Oh, that's awesome. Well, I can see you still have the passion for teaching.

[19:13] Koren Wise: Yes, I told you I can't get away from it. No matter what, I am still there.

[19:18] Richard C. Howard: It's a talent to be able to break down something complicated like this. And this is probably the clearest instruction I've ever received on so that's really good. Now how does that relate? Because in one hand I hear CMMC all the time, on the other I hear FedRAMP. Right. Could you tell us a little bit about the FedRAMP process and what that is? And is it related at all?

[19:38] Koren Wise: So FedRAMP was originally intended I'm not a FedRAMP expert, by the way, but I do know some things about it. So that is a separate certification program, really for a different purpose. It was meant to certify cloud service providers so that we can trust all of those things to be true about that cloud service provider. So they have a very rigorous set of controls, not exactly like 871, but some of those and then even more that would apply to a cloud service provider. And they undergo very heavy scrutiny by the FedRAMP assessors to get that stamp of approval. And then you can assume that a certain level of security is being utilized by that provider where you're storing your data. And it looks like there's going to be some reciprocity between CMMC and FedRAMP, but you have to understand how far that would go. That just means, like, if there are certain controls that have to do with storing your data, and there are, and you're storing your data up in a FedRAMP compliant or sorry, certified cloud provider, then they will accept certain things to be true based on that alone. And that would help you to check off some of the 110 controls, but not all. So there's all types of vendors out there, software, it could be SaaS software as a service, or infrastructure as a service. And they're like, oh yeah, we'll get you all the way there with just this product, just buy this product and you're done with CMMC. If you really looked at the CMMC controls, that's impossible because there are so many controls that have nothing to do with hardware or software. They have to do with you screening people before you hire them. They have to do with your physical security and locks on doors and all types of things that are outside of any software product and have nothing to do with anything that a software product or a cloud service provider could ever accomplish for you. So FedRAMP, again, it is a high level assessment and there are different levels you can get, but there's like FedRAMP moderate or whatever, but it's basically saying that you can trust that that cloud service provider has all of these controls in place on a consistent basis and your data is safe.

[21:50] Richard C. Howard: Okay, interesting. No, go ahead.

[21:53] Koren Wise: No, that's what that is about. You go ahead.

[21:56] Richard C. Howard: No, I was just going to ask. So if I was a software company and it was a cloud based software solution, FedRAMP is something that would probably have to take place at some point.

[22:09] Koren Wise: So it's a long and hard process to do that. I think it's probably fairly expensive for a provider to do that, but the most respected providers are doing that, but.

[22:21] Richard C. Howard: They might not need CMMC certification if they're a cloud provider.

[22:27] Koren Wise: So this is such an interesting and highly debated topic right now, and you could take this topic to just managed service providers, right? So let's talk about all those companies out there. Most of these mom and pop shops have a managed service provider. They don't do their patches, they don't do all of their basic It security needs. They don't know how they have someone that does that for them. Well, that's going to be a pretty big problem with CMMC and that would be a whole another topic. But yeah, if I ask that same question you just asked about a cloud service provider or an MSP, they're kind of equivalent. If your cui is touching anything to do with those entities or they have access to your cui, they are going to become part of your CMMC assessment. So they will be something that we have to look at and they will be something that we have to assess. Interesting, unless we get that stamp of approval where the cyber AB or the DoD says, oh, if they're FedRAMP certified, you can assume that this and this is done. But we haven't gotten any of that yet. So right now if you tell us there's a CSP or an MSP, especially the MSPs, you should see what I see when I go out there. And these MSPs, some of the practices that they have, I wouldn't say they're wrong or dirty or anything like that, they're just never, ever going to pass the CMMC assessment with those practices, sharing accounts among multiple employees, things like that.

[23:57] Richard C. Howard: That's really good to know, and I think a lot of businesses listening to this are probably going to take that to heart and maybe call you at the end of this podcast. So it's more complicated than just saying, hey, I'm a cloud service provider, I might need to go through the FedRAMP process, but I may or may not need CMMC. I think it's really at the end of the day, it's going to depend on what program are you working on, what officer you're working with, what is the solution for and what are their requirements, what are they requiring you to do? What are you touching? Are you classified information? Are you like you said, cui are we both on premise and in the cloud? There's so many different variables and that's.

[24:39] Koren Wise: Why you really do need help, because it is so complicated. When you begin to try to apply the 110 controls to all of those variables that you're talking about, you probably are going just like the same way you hire a lawyer for certain things and an accountant for that type of matter. The same thing here. You really need someone that understands how to make it work. And the name of the game is something we call reducing scope. And that is to do exactly what you said to change the culture in your organization. So people stop emailing, downloading, printing, cui you've just solved a ton, you've just saved yourself a ton of money. If you can get that change to occur, and if you can put that data up in the cloud and have them work with it in a cloud service provider that is federal Amp certified again. And they never download, they never print. And if you get to the point where as much as possible, that's what's going on, that's where it becomes a much easier certification process.

[25:36] Richard C. Howard: Yeah. My advice to any small business, we focus on small businesses on this show. Large businesses listen to it also and people from those organizations, but they tend to have a better once you are a large business, you're in a technology field or software, anything that's going to require one of these certifications, they tend to be further along and have teams of people and whatnot. But not only there's a lot of large businesses out there that haven't gone through the process or started either. But I would say as a small business, if you're listening to this, I can tell you just because I'm in it every day, I'm seeing a lot like the new requirements that are coming out. They are right from the gate saying, hey, we are expecting you to either. And they'll talk about FedRAMP, they'll talk about CMMC, but the security requirements involved are becoming more and more of a mandatory, not a and again, there's a lot of things that are going to come out and change over the next couple of years. But my advice is start thinking about this now. Start making some moves. Even if you can't accomplish it all at once, you don't want to be at the doorstep of the government with a solution that they want. And you haven't even begun the process of any of the requirements for FedRAMP or CMMC. And there's some other things out there. You want to have done something, you kind of touched on it anyway. But hey, what's your advice for that small business? Small business that has a great solution. They haven't started any of this. Maybe they're hearing it for the first time or maybe they've heard it from their potential customers and now they're listening to you. What are some first steps that they can take?

[27:11] Koren Wise: I would say some of the first steps that you can take are to if you already have a contract to talk to your contracting officer, they are going to be the source of whether or not you need to be certified at a certain level. And you always want to think about there's going to be this level one or level two certification or even level three. You want to think about the types of contracts. That you're going to be going after over the next three years, not just today. Doesn't matter if you don't have a contract with Cui right now, do you think you're going to want one to bid on one? Because you must be certified at the time of award once this starts to happen. And so the first step is to think about the contracts that you already have or you might want to bid on and whether or not those contracts would expose your company to Cui. That's the biggest question. Once you figure that out, you really want to do something that we call reduced scope that I just said. So you're trying to start changing your culture to where you think of ways if you have home offices that you begin to limit printing, downloading, and these types of things, and really think about how your home offices are being managed right now. Start to think about your MSP if you have someone helping you with your It and their practices and take a look at 800 171. It's plain English, it's not that hard to understand a lot of it. And then mark the ones that you do understand and you don't understand and start to think about what you might have to have somebody help you with. And maybe you're pretty technically savvy. Maybe you could go to CMMC training. If not, then you're going to need to try to find some help from someone that can start budgeting for someone that can come in and help you get there. But I'd say my answer is that Microsoft commercial is a good choice for people that don't have Cui. If you have Cui, you might be looking at needing GCC High, which is the more secure government version of Microsoft's cloud product. And even though something like that might seem very expensive to you, they've kind of taken away the licensing where you had to buy this many licenses, like a huge number, it might be worth it. You may find that the cost of that license is less than all of the consulting and all of the work that you would need to do on premise if you don't move to something like that and change your culture towards something like that.

[29:38] Richard C. Howard: Interesting. No, that's great advice. And if they want to look at 800 and 171, they can just Google.

[29:43] Koren Wise: It and build up.

[29:45] Richard C. Howard: It's not like document that you have to request from the government.

[29:48] Koren Wise: Most things absolutely not. Just go to this website and there's also 800 171 A, which is a little bit less wordy and it's just the requirements and their objectives. I like that one. It has an A at the end and that one is a really good one for people to look through.

[30:01] Richard C. Howard: All right, good. And of course they can call you if they need.

[30:04] Koren Wise: Absolutely, yeah, please do.

[30:06] Richard C. Howard: Great. Okay, so you've helped us and myself, I have a better understanding of this over the past, what, 2030 minutes or so? Here what's next for you and your business? What are you trying to do now? What are you trying to accomplish? Can we help? What's going on?

[30:22] Koren Wise: So I think you and I talked a little bit about the CMMC thing. I always believe in insurance, like everything I've ever done in business, I always have a backup plan. So I won't say that CMC is my backup plan, but I try to go kind of two different ways towards the same thing, knowing that one, like I told you, some years it was Cisco that was making me money, and the other years it was Microsoft. That's always been kind of my plan of attack. And so as I've gone into the try to win a government contract, some of the things I've done is I kept the CMMC part of things going, and that's been making me enough money to sustain me doing the business development on the government side of things. And so what I've done during that time is I got HUBZone certified. For example, I went and got edwsb. I applied to the Eight A program, like I told you, and that's pending. And I hear people I can't tell you how many times, like, when I went to do HUBZone, somebody said, oh, that's going to take forever. You have all this and that to do. And people are always telling you how hard something's going to be. It's it's impossible. You can't get on that. That's what they said about eight a But I still try anyway, you know, and I always, like, see stars aligning. So, like, when I did all the paperwork for the HUBZone, or I did all the paperwork for the Edwsb, I'm like, well, why wouldn't I just take a shot at Eight A? I've got 75% of the paperwork now, and I had to get all this financial data perfectly in place to apply to any of that stuff. So I just kept going with it where I'm like, you know, since you're you're already losing money because you're spending all this time working on this stuff, it's not going to hurt you to spend one more week doing this other stuff, which is about what it will take. And that's been happening a lot. But every time that I do that sacrifice or I take that step, it turns out awesome. Like, when I got the HUBZone, it's not that it led to more government contracts, but what it did open the gate to is the Seven J program, and that automatically gave me access to bid speed. So somewhere that I can manage my contract, somewhere that I can look and filter and sort through Sam.gov, all these little things always end up leading to something else. I've been finding that a lot with different things that I'm doing where I'm like, oh, okay, there's this huge ladder I'm climbing, and each one of these is like, a rung in the ladder, and it feels like the ladder keeps getting longer and longer. By the way, right when I think I'm there, I realize, wow, you know nothing at all. You have so much more to learn. It's kind of overwhelming when you're trying to learn all of this about the contracting world. But some of those programs have helped with that learning. They've opened up the door to a lot of video training. When I say that I studied a lot. A lot of my studying was done through audio. So I consider listening to your program audio studying. And I listened when I first found your program. I listened to it probably each episode twice. I do that with everything. I listen to it twice because when you're listening, you kind of lose a little bit of it.

[33:26] Richard C. Howard: You probably fall asleep during half of it.

[33:28] Koren Wise: No, I don't. But I definitely was hearing your mantra about relationships, which it seems like I'm bubbly, probably. But I do have a lot of trouble going out and just feeling like I'm a bother to someone or calling them or asking for a favor or asking for things. And so I would listen to you talking about forming these relationships, and I just kept listening to your coaching, and I just started following a lot of that, because what I was doing was all in my own head. I was doing all of this work, but I was missing. I wasn't taking the time or putting enough focus on the relationships. And so I'd say that's the biggest thing that I've gotten out of your show is these relationships. The same way that I said some of those other steps I was taking led to better things. The relationships are interesting in that way. They never lead to what you were expecting, but they lead to something really good. And so I began to finally start bidding. And when I started bidding, you mentioned it the other day cyber-security is so competitive. You've really got to figure out what your plan of attack is. And so, an example I gave you once before, is I saw some training for industrial control, cyber-security, which is a very niche part of cyber-security. It has to do with all of the controls that are used to operate manufacturing equipment, SCADA, all that stuff. And so I was like, Well, I definitely know cyber-security very well, and I know training very well, but what I don't know very well is industrial controls. And so I just Googled like, who's the best at industrial controls? Who is the go to guy? But I didn't mean the best like the person selling the most. I meant the best like the nerd who's the guy that really knows industrial control. So I found this doctor, Michael I'm forgetting his last name right now, but he was the best, and he was already doing a lot of work with building training programs for the government. So I just took a shot in the dark and called him and he's like, actually, I said, there's this RFP out there on GSA hacks which were awarded on that. And the cool thing about that is not a lot of people are on it. So when you bring them something they're like, oh, I didn't even see that. Where did you see that at? Yeah, and so he was like, well, I work with this other company. Whenever there's things like this or opportunities like this, would you let me put you in touch with them? And so he did and they said, yeah, sure, you can put our name down on the response to the RFI, which was a request for information and I got to know them a little bit better. So now I'm talking to this completely different company that has not just that, they do a lot more than just what I was asking about and they work closely with that expert. And so I put them on the RFI, and then I remembered something else he said, so I didn't hear anything for weeks and weeks and weeks. And I'm like I think he said that it's more than okay to reach out during this time because there is not a solicitation out. And this is something he's been preaching over and over. So I'm just going to try to email directly the guy whose name was on the Er buy and I did it and we got our meeting and it was so cool once I got that meeting. Here I am coordinating these experts that I've never met, but here I am getting to interact with them and at least learn from them. And the whole point is I might not win anything off of this, but I just learned a lot from a lot of different people and we might have a really good chance of winning it as well. So we go into the meeting.

[37:25] Richard C. Howard: Can I ask who is in the meeting?

[37:27] Koren Wise: Okay, so in the meeting was the representative for the Air Force who was the DoD entity that was asking for the work. And then the other company's name was Spectra.

[37:40] Richard C. Howard: Okay.

[37:40] Koren Wise: And then they were representing the doctor that I was talking about that's the expert with all of the industrial controls.

[37:48] Richard C. Howard: Sure.

[37:49] Koren Wise: And there were a few of their industrial control experts in the meeting as well. So there was about five of us. So it was the government brought two people, we had three people from the other company and then myself. And I made sure to lead that meeting because I knew that I was the one that had gotten the meeting, and I knew enough to make sure that it was clear in the eyes of the DoD that I was the one that was on the GSA and this type of thing, because I've had that happen, too, where things get swept away. But it went really well and what went the best was how thankful the DoD was. So through that company, I was able to bring them information that they didn't have already. They were just kept saying, man, you have no idea how much this is going to help us write these requirements and get this out a little bit faster. And I just kept saying, okay, well, don't forget I am on GSA hacks. I'm hoping that they'll put it out on hacks because it is a limited audience, but I just used a lot of the things that you taught me during your lessons and all of that. That's how I've been using some of the things that you taught me. So we're still waiting for that to come out. But some advice that you gave me during the training sessions was in order not to miss it, I need to understand that it might not come back out on GSA hacks. It could come out anywhere. And so just setting up those filters and the different tools to make sure that I don't miss it, I thought that was just really good advice because it could be called something different. It could show up on a different vehicle.

[39:32] Richard C. Howard: It could be really easy to miss that. So first you did an awesome job there and it's actually a really great example of exactly what we talk about all the time, right, which is and people have talked about this too, on some of the other episodes, right, which is they're a little intimidated talking to the intimidated. But some people have said, hey, we're a little intimidated before we approach the military talking to the DoD contracting guys. But then when we do, it's the same experience you have, like humble and gracious and thank you for informing us because they're not the experts have said this a lot, but I wasn't the expert at cyber-security or drone software or you pick the technology. And so when you go in there and you're bringing the subject matter experts with you, now all of a sudden you're really helping out their team and you are helping them write the requirements. And this is the other half, which is, hey, now that we're actually focused on the market research phase, because I hear small businesses and large businesses a lot will say, oh, well, defense contracting is rigged because this contract looks like it was written for a certain company. No, it wasn't rigged. You just didn't understand that there was a market research phase or you just didn't take the initiative to participate during that phase. And so that's where the government helps write the requirements for these. And that's what you did. You helped them write that. So now, more than your competitors, you're going to understand what they really want because you've talked to them, you've helped them put what you need to in there. Now they know you and they know your team. Like I said, I usually knew who I wanted to put on contract. I didn't always get to hire them, so they probably know that you know what you're talking about now and that you have a solid team put together, and you have that relationship. I mean, there are so many benefits out of what you just put together that, again, whether you get awarded on this one or not, I think that that's going to you just keep pinging them and keep that ball rolling.

[41:36] Koren Wise: Well, some hypothetical questions about what you just said. Do you mind if I ask a few?

[41:40] Richard C. Howard: Yeah, no, go ahead.

[41:41] Koren Wise: Okay, so first I just wanted to say that although I did make sure that they knew I was the lead on the project, I knew enough to sit back and not say a word after that, because the company I'd come with, they were so impressive, and they really had just true experts in the field and said they were amazing. And I'm worried. Their name is either Spectra or Spectrum. I want to give them credit. But my question was, you said to keep pinging them and pinging them. Can you talk? So after that, I felt like they had kind of just said, this is awesome, thank you so much. And then we did send a follow up email, which they were extremely, you know, like, wow, what you just sent us is unreal. Like, very helpful. But then after that, I didn't want to be too pushy.

[42:28] Richard C. Howard: How long ago was that?

[42:30] Koren Wise: That was about a month and a half ago.

[42:32] Richard C. Howard: Okay.

[42:33] Koren Wise: And they said it would be over the next four months.

[42:35] Richard C. Howard: Yeah. So, no, now is perfect time for you, too. So they said that it would be sometime in the next four months, the solicitation would come out. Yeah. So I would definitely send them an email today. I probably would have done it a week or two ago. And again, you don't want to send them an email every week because you're going to be kind of pestering at that point. Right. But you provided a lot of value. Right. So I think that if you're reaching out to them once a month or so, once every five weeks, just to say, hey, just touching base, this is the email. I would write something along the lines of, hey, I just wanted to reach out and make sure and I will probably reply to the last response they gave you, just so they kind of have that history fresh in their minds. Just wanted to see if you needed anything else from us for the upcoming solicitation. Also wanted to see if because we don't want to miss it. Is it still coming out? It's going to come out on GSA or have you made that decision yet? Try to get a timeline. I would throw something out like that.

[43:33] Koren Wise: Okay.

[43:34] Richard C. Howard: Then they may respond, oh, no, we haven't decided yet. You'll be the first to know, or keep an eye out on sam.gov depending on who you're talking to, it sounds like you have a good relationship with them or they might be like, hey, yeah, glad you reached out. We decided to go. We have a new vehicle. It's this, we're going to put it on NASA Soup.

[43:55] Koren Wise: Exactly.

[43:57] Richard C. Howard: Then you would have missed it. So now you know that you need to partner with a company that would be on NASA Soup to get in there and do that.

[44:07] Koren Wise: Here's my hypothetical question. You've been touching on this a lot lately, but I think this is a good scenario where it's actually relevant. So the Eight A, let's say that we had had that exact meeting that I told you about and I had actually been awarded through the SBA on Eight A. What could I have done with that during that? Because he said during the meeting I know he mentioned the word sole source. There's nothing here for us to soul source it or something like that. When does that happen? This thing you're talking about where they can make the choice to sole source, would it be before that? After that? During that conversation?

[44:47] Richard C. Howard: Yeah, when you say before, during, so you could say all of the above, but really that conversation is probably one of the best times to bring it up. If I couldn't get a meeting with them, I might bring it up before that. The first thing, you did what you're supposed to do, which is you're not selling your certification, you're selling the solution that you can provide. Right. So you've already proven yourself. You're a subject matter expert. You've obviously helped them a lot in building out requirements on the upcoming solicitation. Now you want to make it as easy as possible for them to put you on contract. So what that means if you have the eight A certification, is there's language in there that can make it easier for them to give you a sole source contract if they wanted to sole source give you a sole source contract right out the gate. And I wasn't in the meeting and I don't know all of the requirements here and I don't need to. But if they want to give you a sole source contract without any help, I guess you could say from like a certification or if you are a civil phase two graduate, there are certain things that make it a little bit easier to give a sole source contract. That aside, you would have to have something so unique that no other company would have it. Right. It was like proprietary maybe, or it would cost the government so much money and so much time with another company to build what you already have that they could justify giving you a sole source contract. And there's a lot more that go into that. There are shows out there that focus solely on the fire clauses and the contracting piece. But you get the gist of it. It is incredibly difficult to make the case for sole source contracting unless you actually have ways of kind of getting around that. And by the way, also, all contracting officers don't necessarily understand, like, hey, you're a superficial grad. I can make it easier to give a sole source contract or eight A certification or even SDVOSB. There's some language there, too. And I'd actually want to look into your HUBZone certification and see if I could find anything along those lines. But eight A in particular, what I would have done is during that meeting, I would have said, hey, we're on GSA, but we're also eight A. I know that can make it easier for you to produce a contract. And I'd say it like not, yeah, but if you're just kind of giving it to them, you're like, hey, here are some ways that it can be easier for you to provide a contract. And if that team is comfortable, every team is different, right? But that team may be comfortable, very comfortable with giving a contract to an eight company, because that's part of the value of having that certification is it can make it easier to get some initial contracts just because of the criteria involved in getting eight to begin with. Anyway, that's how I would have done it. I would have done the same thing if it was civil phase two, by the way, something else I would do is I would have that language, right? I was on that side of the table, right? They don't have the fire memorized, right? They've got 100 things they're trying to put on a contract, and yours is just one of them. So if you have a special way to put someone on contract and say, hey, here's the language in the file that allows for something like this, especially with the SBIR, because that's less known, but even with eight A, I would also have that. And then maybe a homework assignment is read through that HUBZone certification for you. You mentioned DC. May I have a great he was on one of my podcasts, Colonel Lorendorf. I don't know if you remember that.

[48:22] Koren Wise: Episode, but I do.

[48:24] Richard C. Howard: He's amazing with that type of thing because he really understands the specifications involved. And when you can actually use something like that and he's actually helped us with other students and clients, like put language together for sole source contracting and for other things related to that. Anyway, so just some food for thought. But that's how I would do that. And by the way, so now let's go to the next step. If there is anything in that Hub, because I'm constantly learning, right? If there's anything in that HUBZone certification that can allow for ease of contracting and I don't know, I'd have to read through it, then I would absolutely be using that and offering that to them. So maybe you could read through that.

[49:05] Koren Wise: First before you send it to me. That's a good idea.

[49:09] Richard C. Howard: Okay, well, do they know your HUBZone certified?

[49:12] Koren Wise: I'm not sure if I harped on that that day because I probably didn't know it was beneficial. I thought it was more of I need to try to bid on things where it's been a set aside for HUBZone. I didn't even realize that it could be used in a way other than.

[49:28] Richard C. Howard: That, by the way. I don't know that it can.

[49:31] Koren Wise: Yes, you never know that. You're right. I need to read through now, if I go into Sam dot gov and I right click on my report, is that where I'm looking for the wording in my HUBZone thing or where no, in the far.

[49:47] Richard C. Howard: Yes. I was actually just trying to look it up for you here, but it's just with the zoom call, it's making a little bit difficult, but yeah, no, I would look up the hub zone. In fact, I'm just typing it in right now just to see. I had another former contracting officer actually, I was talking with that is a service disabled vet, and he was talking about how that certification and this is what he's done in the military as a contracting officer, that SDVOSB certification has allowed him to put companies on contract without a competition a little bit easier. And I didn't know that. So this is far 19.13 six contracting officer shall consider a contract award to a HUBZone small business concern on a sole source basis before considering a small business set aside, provided none of these exclusions apply. And then it talks about there's some stipulations here, reasonable expectation that officer would be received from two or more hub zone. That sounds like one of the because if you're going to set something aside for a certain set aside, usually there has to be more than one.

[51:01] Koren Wise: Right. I've had other HUBZone companies approach me about this where they're like, we need you to bid on this, too, so that we can get it as a set aside.

[51:10] Richard C. Howard: So I would read through it and see what you think. There's probably a few more things you could do with Google just to understand where it's been done before. And some of them and by the way, I would just throw it out to them, too, like, hey, we didn't talk about this, but I'm also HUBZone. I don't know if that makes a difference. I mean, you can just throw it out there like, hey, you're the expert, not me. So you tell me. By the way, I've also run into teams that even though the government can do something, that doesn't mean they have to. Right. So some teams might be comfortable with eight A and Soul sourcing, where others are like, no, we're competing this and that's the direction they're getting. Don't fight with them. Every team is a little bit different. Just offer them different paths and they'll pick one and keep you in the loop.

[51:55] Koren Wise: Right? Exactly.

[51:57] Richard C. Howard: Cool. Well, Corn, this has been awesome. Is there anything that you would like to throw out there, maybe, where people can reach you, your website? If they can, they find you on LinkedIn, that type of thing?

[52:08] Koren Wise: Absolutely. So on LinkedIn as Koren Wise, of course. And I post all types of things. Helpful content that has to do with CMMC for those that followed that part of the podcast. And we're curious for more information. And then our company website is WTI Networks with an s.com. And so we're also on the GSA for Hacks, which is all of the penetration testing, vulnerability scanning, high value asset threat hunt. And we're also on the GSA for Health It, which is another good niche, and then general professional services so we can do business through that. And we're here in Norfolk, Virginia, if you want to meet locally. I'd love to meet and have a cup of coffee if you need help with your CMMC journey or anything else related to things I've talked about in the podcast. I'm all about mentorships. I've had amazing mentors, and I'm hoping that I get to a point where I can pay that back. I'm always here to talk in one way or another.

[53:07] Richard C. Howard: Great. No, that's awesome. Thank you for coming on. This has been a great conversation, both in regards to CMC and FedRAMP and to just your journey. I think people are going to be inspired by what you've been doing, and I've learned a lot. I think a lot of people out there have as well. So thank you.

[53:21] Koren Wise: Thank you so much for having me today.

[53:23] Richard C. Howard: All right, well, hey, everyone. If you want to learn more about what we do, you can go to Dodcontract.com. Warren has given you all of her information, so you can reach out to her. You could certainly shoot me a note too, and I can match you with her. As she's in the academy and has been around, we know her pretty well. So thanks again for listening and we'll see you next time you.

If you enjoyed this episode, you can also check out Govly: A Possible Game Changer where I had Mike from Govly to discuss how you can partner with a prime that has the right contract vehicles for those who don't have a GSA schedule and how they are answering that problem and much more! 

You can also learn more about our Coaching Programs which might help you win Government contracts. Thank you!