From Compliance to Contracts: Breaking Into the Government Space with Lori Crooks

Bryan Jenkins: Hey everyone, thanks for joining and thanks for joining us today, Lori. We're really excited to speak with you and learn a little bit more about how some of our customers can into the government contract space. ⁓ mean, Perry, you can kind of Yeah, ⁓ we're really, really looking forward to it. ⁓ we saw some some background on ⁓ on your company, Cadra, and congratulations on 10 years. That is incredible. Lori Crooks: Thanks, Bryan Thank you. Bryan Jenkins: What have you kind of seen over the past 10 years? Like what got you into the space and how much has it changed over the last 10 years? Lori Crooks: It's changed a lot, will say, especially over the last 10 years, even over the last couple of years with AI now coming out. But I've started Cadra like you said, about 10 years ago, because I was looking help small to medium sized businesses actually figure out what compliance looked like. ⁓ I a lot, ⁓ as mentioned, in the governmental space. ⁓ Prior that, I did a lot of external consulting, but really wanted to help. I said, those small to medium-sized businesses because they didn't have the expertise and or the manpower to kind of figure out what needed to be in place in order to win new contracts or win new customers, anything like that. So that's why I started it. And yes, it's changed a lot over the last 10 years. It's gone a lot from kind of more of a manual process. Things are starting to automate a little bit more. And we're starting to see a lot more formalization. of the compliance frameworks, especially for those that are looking to get into the governmental space. Perry: Laurie, question for you, what what is it that you think it draws the majority of the folks you work with and even yourself in into the government space? It's it's it's kind of known to be so scary with all the paperwork at the very beginning, right? So it's a daunting, daunting approach. So what what do you usually see is the impetus for folks to to start taking on that that big challenge of of figuring out how to make their way through all the paperwork and questions and everything else that goes with it? Lori Crooks: Yes, that's a great question because it's no joke trying to into the governmental space. There are so many frameworks and so many acronyms and you know, hard to figure out. I think the main thing is a lot of customers want to get in it because once they're in, they're usually in for a while. They have pretty good standard process. They make those good relationships and it's a customer that they can rely on year over year. I am then obviously a lot more definite. different RFPs just for those governmental clients as well. Perry: Yeah. One more for you, this just kind of falls on, you know, any big difference that you see between folks that are trying to go at the state or municipal level versus at the federal level? They both have their complexities, but obviously the federal government's got ⁓ some advantages on that side and then sometimes it can be an easier entry to start working with with smaller municipalities. What's your experience been? Lori Crooks: It honestly depends. I know that's like the worst answer ever, but it depends on kind of where they're trying to go within the governmental space versus state versus federal. If the client is in the cloud and they're trying to sell to a federal agency, they're going to have to go through FedRAMP, which is a huge process. A lot of your customers are probably familiar with that. If they're trying to sell at a state agency or smaller municipality and they're in the cloud as well. Perry: Mm-hmm. Mm-hmm. Lori Crooks: get to go through GovRamp, which is, I would say, a lot less intense. And they also have some easier paths to a quicker way to be GovRamp certified. They can have a fast start through SOC 2. So if they're already doing SOC 2s for their commercial business, and they're going to start selling that same business to the government, state agencies, then they're going to have a faster track to get there with that SOC 2 on the state, ⁓ in the, ⁓ miniscule level versus the federal level. Perry: Okay, just one other last quick thing. So for the folks that don't know what FedRamp is, could you ⁓ because yeah, there I think once you get into the space you start learning these acronyms just pile on, right? But there's a whole different language of vocabulary. So FedRAMP for those that are non-practitioners, what's the easiest way you usually explain it to people? Lori Crooks: Mm-hmm. Yes. Yeah, it comes down to if your product or service is in the cloud and you are selling to a federal agency, that federal agency wants to use your product in the cloud, you have to become what's called FedRAMP certified. And that is a whole process in itself. Like I won't get into it, but it's a very time intensive ⁓ process that does take a lot of people. ⁓ will say they are making a lot of changes. ⁓ to the process where hopefully it's going to be a lot more automated and a lot easier. But in a nutshell, that's what it is. If you're in the cloud looking to sell to a federal agency, you have to go through the process. Similar to GovRamp, ⁓ that's more on the state side. So if you're looking in the cloud, you're looking to sell to a state. ⁓ A lot of the states are participating in that GovRamp as well as ⁓ local municipalities, local governments as well. Some school systems are that. So you have to kind of look at who you're selling to, where your product is, to figure out what you need to be certified. And just for your audience too, like that's outside of the DoD. Like if you're looking to sell to the DoD, there's a whole nother framework called the Cybersecurity Maturation Model Certification, CMMC. ⁓ those who haven't heard about it, it's ⁓ huge thing right now ⁓ the DoD and a lot of those spaces. Bryan Jenkins: So with all that being said, Lori, like where do you recommend somebody like you know ⁓ we we've we've got so many customers that are that are familiar with the private space, but with the economy frankly the way that it is, right? They're looking for opportunities anywhere they could get them. And a lot of the times I'll look towards the government municipalities to try to find those opportunities. But like w where do you think the first place to start would be? Lori Crooks: It's a lot. It's a lot. I'm sorry. Bryan Jenkins: Would it be trying to get ready for the compliance aspect? Would it like where where would you even start? Lori Crooks: It's a good question. I definitely recommend starting with some sort of compliance framework. If they're not sure on where they're going to go from a government level, are they going to go DOD? Are they going to go to federal agency? Are they going to state agency? There are basic frameworks put out by NIST, which is the National Institute of Standard Technology. So it's a very well known government agency basically or sub agency that provides these standards that again, are used by the government, are used by these federal agencies and stuff. So one of the best basic frameworks is the risk management framework ⁓ or RMF. There's also a cybersecurity framework or CSF, government laws or acronyms. those are some of the good basic ones to at least start with. So you have a compliance framework to start. And then from there, you can kind of figure out, okay, which agency am I going to go to if you're going to go to federal outside of DOD or the state outside of the DOD. There is a NIST framework that they're both based off of, which is the NIST 801, 853. I'll get that right. And that's a huge one. So definitely kind of start working your way there. It's not like an overnight path. And then the CMFC, you're selling to the government, that also has a NIST framework to it. That's the 800-171, that's a little bit smaller, it ⁓ on kind of where you're trying to go, but I would definitely start off with one of the basic frameworks. And I know I just threw a lot more acronyms out there, so I apologize. Perry: It's it seems like part of the thing would be, you know, I think at at some point, do you do you suggest people sit down and kind of get a a brief overview of the frameworks themselves before they get started, start learning some of the vocabulary. I you've got to imagine that sometimes as you're going into one of the frameworks, it'll make reference to other frameworks and it do that by acronyms, assuming some level of of knowledge and awareness. So is there a you know, like that was a great tip for for getting started. ⁓ is there a place where you tend to send people to say, okay, like when you want to take your first baby steps, here's a place to start learning how to speak our language and understand all the different things that are going on. Lori Crooks: ⁓ Great question again. you can go out to the NIST website itself, but I think that gets a little overwhelming. There are other sites out there just put a plug in for Cadra's but we try to take that. One of our ⁓ taglines really just trying to help demystify ⁓ and make all these federal Federal Talk more plain English for people. So we have a lot of great blog posts out there that kind of explain the differences between these different frameworks there. But outside of that, LinkedIn is also a great place to kind of learn a little bit about what each of these different frameworks are, because there's a lot of great blog posts and articles put out there by experts in the industry. But outside of that, I can't think of just like one kind of place people go outside of like maybe downloading one of the NIST frameworks and it has an appendix of all the acronyms and everything like that. Perry: Yeah, actually I was thinking you might mention Cadra's website because I found it incredibly informative. It's it's ⁓ it w seems like it was written in a much more friendly manner than some of the federal government websites that I've looked at in advance. So Well done. Lori Crooks: Thank you. Yes, that's our goal. Because yeah, thank you. As you see, this is not easy. So we try to uncomplicate it as much as possible. that also helps my mind. So I'm trying not to make things complicated for people. Bryan Jenkins: So Lori, can you talk about once they get through you know that that initial ⁓ work? Like say they work with with Cadra, they get through getting some of the approvals for s some of these compliance ⁓ measures, ⁓ do those apply to multiple government departments? Like ⁓ working with with Cadra up front and ⁓ getting invested in being able to be an approved vendor and having the security and compliance required, like what would you say that would do as far as ⁓ opening the opportunities to to multiple ⁓ business opportunities and and growth in the future. Lori Crooks: Yeah, definitely. So especially if people are trying to go for the FedRAMP, I would say that is the most strenuous, but that also is the one that opens the most doors because if you are FedRAMP authorized, you can also typically take that and become GovRAMP authorized as well. But you can't get GovRAMP and then go FedRAMP. So that's why we say if you think you're going to work with federal agencies, try to start with the federal side and then you can use that for your state agencies as well. And then as well as even like commercials and people working with the DOD, they're required to use a verified platform or cloud product. And that's usually a FedRAMP. So FedRAMP products have to use other FedRAMP vetted products. So you're not only opening the door to working with federal agencies, but you're also opening the door to working with other people that are selling to those federal agencies. So there's going to be leverage on both the federal side, also to other, like I said, other products that are leveraging FedRAMP as well. Bryan Jenkins: glad you mentioned that. I feel like getting that gets you in the door and then once you're in the door, you have so many opportunities both horizontally and vertically to to sell. So ⁓ as far Perry: I'm Bryan, on that side, let me Lori Crooks: Definitely. Perry: Quickly kind of add add one follow-on to it. There's like of late, right? We've had a lot of folks that I've talked to have actually said, you know, gosh, it it used to be that I felt like this was just such a steady business and and that it was kind of a an easy to know, you know, once you got the contract, you know, how much work. And there was there are very few circumstances in which the government would back out of contracts. And then obviously a lot of people have seen in the new news that things have been turbulent. But then when I've spoken to people that are working inside of the government contracting space, the thing that I've heard back from them typically is, well, there's there's some, you know, there's been a little bit about people, but actually, you know, we actually feel like it's been a lot steadier than the news makes it out. You know, different points of view I think coming from all different directions. What's what's what have you been seeing on your side? Lori Crooks: seen a little bit of both to be honest and like I said if typically if you're in you're in I know there have been a lot of budget cuts over the last couple years so that has narrowed it down a little bit but ⁓ say the big thing at least from my side is FedRAMP is changing a lot they're changing their program they're changing ⁓ how you can actually get into the Program and they're trying to make it easier So I think a lot of people have also kind of been holding off to see hey house is gonna change house is gonna affect me to these changes you actually had to have a federal agency that was going to sponsor you through the process ⁓ That really made it ⁓ Because lot of federal agencies weren't necessarily wanting to sponsor ⁓ and product unless they were gonna use that product But now they're changing it where number one is more automated. But the main thing is you don't have to have a federal agency sponsor anymore, which is going to open the doors for a lot more organizations to be able to become that FedRAMP certified and then sell to federal agencies. Perry: It's a helpful note. Yeah, it's it's heard that like with some of the spaces where, you know, if it was a national institutes of health, right, it's been a little bit on the tougher side. Obviously ⁓ the DOW side there's been an increase in spending and then ⁓ you know just government's need for additional AI has driven enormous amount of spending on the on the infrastructure side for for data centers and and the like. ⁓ but it's really helpful to to hear your advice and guidance. ⁓ one more thing I'm gonna throw in there, Bryan, hopefully this isn't you know, steal a question you're gonna ask, but I think we're both thinking about it. When's the best time for people to come to work with you? Lori Crooks: I'd say as early as possible. Because there are a lot of caveats like we had talked about, we want to make sure that you're picking the right framework and based on where you're trying to go. And then from there, we can help you with a ⁓ gap assessment or readiness assessment to actually see where you already stand because we don't want you adding controls or adding complexity to the organization that you might not need to be. It's already a tough enough process. So we definitely recommend people come as early as possible because we can help make that whole process easier for them. Perry: As early as possible in okay. Yeah. That well I mean it it's gotta be a big help too. So Lori Crooks: Yes, yes, and that's our goal to make it, like I said, easy, transitionable as it is as possible for them. Perry: Yeah. That makes sense. Bryan Jenkins: I was just curious, Lori like how does ⁓ like once you get approved, right, what does the process look like for staying approved? Like it it seems like you're getting it's not just upfront, there's ⁓ there's more involved and what does look like? Lori Crooks: Yes, getting approved is the hardest part, I will say, but as you mentioned, you have to stay approved. So that includes what at least FedRAMP, GovRAMP calls continuous monitoring. So there is a monthly process where you have to upload some of your documentation. You have to upload your latest vulnerability scans. You have to update your latest plan of action and milestones, which is tracking all your identified risks and stuff like that and some other things. So it's something that has to be done on a monthly basis. In addition, you have to go through a assessment at least annually by your independent third party auditor. The first one's always the hardest because that's the full control set. But after that, then they do a smaller subset. So rotating three years to test all of the controls. So again, it's not something that it's one and done. It's something that you have to stay on top of. You either have to have a person usually internally to actually be managing everything. It's not something that It's typically somebody else's second or third hat to wear. It's typically one person staying on it within the company or it can be outsourced to somebody as well. Perry: How much of that is is able to be automated these days? I mean I know that at the end of the day there's a lot of judgment calls that need to be made, there's decisions that need to be made, but but I think I'm I'm thinking back and it's it's been a little while since I've you know been in in one of these you know full audit situations. but we're talking about you know hundreds and sometimes thousands of items, ⁓ right? there's standards and ⁓ how your business is meeting those standards and information that collected to support ⁓ you know showing how you've met the standard so I mean it it seems like it's it's it's still a very onerous task from an organizational standpoint, from an information standpoint, from an information management standpoint. Is that is that right? Lori Crooks: It is. And the good news is it's becoming more automated and FedRAMP is trying to help with the automation process. If organizations going to try to go for the new FedRAMP, which is called FedRAMP 20x, a lot of that is automation already built in, but that means the organization's got to build in that automation. ⁓ Everything that they output has to be machine readable. that whoever's auditing them. Perry: Okay. Lori Crooks: they could run it through an automated process to review the evidence. again, it's a lot of upfront configuration and making sure that you can get the output. FedRAMP people or organizations, there's some things you can ⁓ get ⁓ like can ⁓ automatically some of your access review logs or do some of the access review automated. Perry: Mm-hmm. Lori Crooks: But it's still a lot of, like you said, it's still a lot of manual process. It's a lot of screenshots, not only collecting ahead of time for the auditors to review, but also time intensive sitting with the auditors when they are going through their interviews and re-showing them and being like, hey, this is exactly how I pulled this piece of evidence that you looked at. It's time intensive, definitely. Perry: Yeah. Lori Crooks: Not for the faint of heart. Perry: And and even for the auditors as well, right? It's it's ⁓ you know, we keep on hearing about potential technology that's gonna help them, but at the end of the day, you know, you know, except for those places where to your point it's machine readable context. ⁓ you know, it's still somebody sitting down and and looking at your business and looking at the controls and looking at the evidence you've provided and and you know. Making record keeping decisions on it and then the final conclusion of report. Lori Crooks: Exactly. And within the NIST framework for the auditors, they have specific things that they have to do for each of the controls. So it calls out whether that control has to be an interview control, whether it has to be a test control, it has to be an exam. And so the auditors, they have to follow those processes in order to make sure that your package is actually good enough to be passed. So it's a lot of time, like you said, both on the corporation side because they're having to sit there and talk to the auditor but also for the auditor to go through and be like, hey, is this right? Like let's relook at this and spend some time, you know, going through all that. You know, FedRAMP moderate, which most people have has about 300, 25, 350 controls. And a lot of those have sub controls. So like you said earlier, it could be thousands of pieces of evidence by the time it's all said and done to meet all of those controls. Perry: How do how do you usually guide people towards managing all the information itself? Is is is there a particular is there a particular process or approach that you typically recommend that helps people to keep the information organized and ⁓ ⁓ to make it to where it's easier to carry out those parts of the activities? Lori Crooks: It depends on the organization. There are some tools that we sometimes recommend that helps kind of centralize all that. And, you know, there are reminders and stuff, you know, that say, hey, remember to get this piece of evidence. seen people ⁓ have like a whole JIRA board for it where they have all the controls laid out and then they have the evidence linked within JIRA. And then they have each of the things assigned to different people again ⁓ those. But again, ⁓ takes time to set up. ⁓ really around ⁓ Perry: Yeah. Lori Crooks: just organizing it in a ⁓ and having ⁓ sort of process to, like I said, remind people to collect that evidence because not everything has to be collected right when the auditor's there. Some of it has to be done monthly, some things have to be done quarterly, some things have to be done ⁓ frequently than that. So it's really about setting up those processes ⁓ knowing who's responsible for what and when the next time that. Bryan Jenkins: Well Yeah. Lori Crooks: task has to be done so you're not missing it because if you miss it that's going to be an issue when the auditor comes. Bryan Jenkins: And you need a way to prove, right, that it's been done o over the course of time, right? Like you need timestamps, et cetera. Yeah. Lori Crooks: Yep, yep, exactly. You know, and we tell a lot of people because we know everything else is so expensive to go through. Like a lot of that can be done manually, internally with, you know, spreadsheets and, you know, Word, SharePoint, you know, those types of things. But again, you have to kind of set up that process if you don't have the extra money to buy like a GRC tool or you don't have internal knowledge to build up some sort of plan like that. Perry: Yeah, good for it, Bryan. Bryan Jenkins: So lot of our customers use RocketDocs for for just that. So they actually have content libraries and workflows, et cetera, to sort of one track and make that audible, but two, ⁓ you know, prove that certain things have at certain times. It also helps with delegating some of tasks. So yeah, it's a natural jump because a lot of the people that we work with already have these libraries, and they're looking for ways to utilize those workflows and information to be able to qualify for. Lori Crooks: Perfect. Bryan Jenkins: More government contracts and and bids. ⁓ and I think that's it's such a huge, huge point there because w when things are manual like that. Lori Crooks: Yeah, that's great. Bryan Jenkins: it's hard to prove with certainty that that those actually happened. There's no you know, time real time stamp or anything that's ⁓ doing that. So and it it's also hard to to to define those workflows. People are, you know, busy and they have day to day jobs. So going back and making sure they have spreadsheet sometimes gets forgotten. Lori Crooks: Exactly. Yes. Yes. And the more manual to it, yeah, it gets like you said, yeah, I was going to say if more manual, it either gets forgotten or people miss it in that way. So it's great that you'll have that automated. I do want to make a point to your automation. One of the great things about having everything in some sort of library like that is it makes it easy to go through multiple types of audits. So you could do your SOC 2. Perry: Mm-hmm. Lori Crooks: lot of those controls might also leverage to a FedRAMP or a CMMC or a GovRAMP, know, whatever other controls you might be going to if they're doing HIPAA. Same thing, a lot of the controls do overlap. So if you're able to have everything in one place, it's just a matter of mapping those to the appropriate standards and using that same evidence for multiple audits. Bryan Jenkins: Yeah, and the the key there, correct me if I'm wrong, right, Lori, is going to somebody like you that has the experience to know what kind of policies, procedures, questions, et cetera, you need to track. And then using a tool to be able to automate that process. So that way it makes it easier moving forward. And yeah, yeah, that seems like the win-win combination for making this a success. And I think truthfully, I think that's like the the thing that holds a lot of people back from jumping in, is they they feel like the investment up front is so much and there's not a guarantee that. Lori Crooks: Yes, definitely. Yes. Yes. Bryan Jenkins: you know, it's gonna work out. So ⁓ having that plan up front and having, you know, that in place at least increases the ability that they'll be successful. And measurably, I mean, like when you take on a new client or you you take on somebody and like what are some of the things that you look for inside of their business or inside of the product that they offer to say, hey, like you're either ready or you're not ready to to make this jump? Lori Crooks: Sure, we typically look at, we start with policies, procedures, honestly, because those are required by any of the standards that you're looking at. ⁓ always ask, you have policies and procedures? And then we talk about the infrastructure. ⁓ it in the cloud? Is it physical? ⁓ then that kind of leads us down kind of the next sort of questions, we want to know what ⁓ the is, what's the scope of the assessment or the scope of the product that you're trying to sell. ⁓ We ask that because a lot of customers have a separate product that they're selling to the government and they are selling to commercial because getting into the government like we talked about, it's so strict it's very expensive to build that environment. So people ⁓ a separate ⁓ that doesn't have all the strict controls. ⁓ we talk about that. We talk about access ⁓ controls, obviously. How are people getting access to it? What other products are they using within the systems? So it's really just a deep dive of what they have, what they don't have in place, talk about encryption, just some of those basic things. And then we kind of scope it out to say, hey, does this meet the requirements of whatever standard we're going to? And then we can kind of help them identify where the gaps might be just on that interview and say, hey, let's fix these things. And then if you fix these things, you might be ready or this might take a little bit more time. Perry: Mm-hmm. You know, it's interesting. I've I've I've I I think going back to to one part you talked about was policies and procedures and ⁓ I've heard a lot of people, they just kind of they're they're not inside of the space, they're not working on these government contracts, and they're like, Yeah, we have policies and procedures, right? Because somebody went through and did their HR training. but when you're talking about the policies and procedures and the work that you do to help people out, ⁓ we're talking about a lot more than just, you know, you do you have a a sexual harassment policy? Do you have a clean desk policy? Do you have a policy about, you know, how much time to take off of work and how To ask for PTO. are really ⁓ and then standard operating procedures or operating procedures that are implemented in the day-to-day governance and operation the business, right? And so what's the best way that you end up, you know? Well, I guess first off, do you end up running into those scenarios where somebody's like, ⁓ yeah, no, no, we've got we've got policies and procedures, right? And then ⁓ Bryan Jenkins: Yeah. Lori Crooks: all the time. Perry: Yeah, and then what do you tell them when you're like, Okay, yes, ⁓ th that's a good start, but we have a lot of work to do. Bryan Jenkins: Yeah. Yeah. Lori Crooks: Pretty much. mean, like you hit the nail on the head. have to take what you have and expand it ⁓ order to ⁓ number one, the requirements, but I also try to ⁓ them how important it is to have these standard operating procedures. ⁓ lot of these small to medium-sized businesses might only have one or two IT people or one or two security people. So it's really important that they document what those people are doing in case, you know, that person is out one day or they suddenly quit or something happens and that person is not there anymore. Especially when you're dealing with compliance because you don't want that next person to come in and start doing something that's not going to be compliant, you know, because again, that's going to be a red flag. That's going to cause an issue during your audit. And I always tell people to one of the biggest issues, unfortunately with like breaches and stuff is with internal people. And sometimes it's just because they don't know what they're supposed to be doing in a right manner. And if you have that training and if you have the right policies and procedures documented and they know where they are and they're followed, you you're going to lessen some of those insider issues that happen unintentionally. Bryan Jenkins: Yeah. Perry: Yeah, I'm I'm just I'm thinking back to some of the challenges I've gone through myself and I'm wishing that I had started with somebody like you ⁓ to help guide me through the process. There's so many times I remember ⁓ you know, having you know real requirements with regulatory obligations that not only are obligations to your point that you need to have in order to be able to win certain types of business, but then also ⁓ it comes down to you know, these are effective ways to operate the business and to provide continuity when people are out or when they transition. but yeah, I just it it was a little bit of a flashback to the to the points in time where I remember th sitting there thinking, ⁓ my god, there's gotta be Somebody who knows this better than you know, you know, this book that I'm looking at or this website that I'm trying to understand, somebody I can ask questions of, get some guidance and feedback ⁓ from. And I've got to imagine that when folks do reach out to you early and they start working with you to implement these, that you know, they're getting a much better, much better process than the one that I went through where you're just kind of blindly. Trying to figure it all out. Yeah. Lori Crooks: Thank you. We hope so. Perry: So I'm gonna actually like I think I think just for a second here, I'm gonna break away from a normal format and and ask you to like just in a in a brief like give people the best way to reach out to you and and when to reach out and and any other information that can help them to understand because I think it this isn't about like ⁓ your business right now. This is really about when somebody's in the weeds and they're trying to figure this stuff out, having a critical resource ⁓ something that changes the results. so yeah, what what do you suggest they do ⁓ order to contact you or someone like yourself ⁓ order to to not have to have ⁓ very, very trying difficult experience of ⁓ learning by by not getting it right and then having to do it over. Lori Crooks: No, I appreciate that. The best way to contact me is you can email me directly. ⁓ lori.crooks at cadra.com. ⁓ It's C-A-D-R-A.com. can also go to my website, again There's a lot of great information on there. Like I said, we try post blogs at least weekly, if not more. And then you can find me on LinkedIn too, under either cadre or just Lori Crooks. I post a lot out there. ⁓ Bryan Jenkins: Yeah. ⁓ No. Lori Crooks: ⁓ usually four times a week of different information, trying to continue just with the education of what these frameworks are, what the changes are in the industry. So those are kind of the top three ways people can get a hold of me. Like I said earlier, the best time is anytime, but the earlier the better. It's easier to start with a compliance mindset going into the whole process versus Bryan Jenkins: Mm-hmm. Lori Crooks: getting into the process halfway or three quarters of the way and then realizing, ⁓ we need to do X, Y, Z. Especially because as we talked earlier, a lot of these controls have to be done on a regular basis and that they're not being done, that's gonna push your audit out even further. And so if know that early, then we can kind of start setting those up sooner rather than later. And you have that information and the time and the manner that you need it to perform the audit. And we typically find people who go through either us or somebody else to get them ready, have an easier time getting through the audit. I work with a lot of third party organizations and it's easier for them knowing that someone like myself has helped the client through the entire process because they trust the information and the documentation a lot more than if client wrote it themselves, you know, they're not quite sure what they're gonna get. So they're gonna scrutinize it a little bit more. Honestly, that's our passion is to help these organizations. Like I could be out there doing, you whatever, but I really am passionate about helping organizations through this process because I know how tough it is. I've been on the other side. I have been audited multiple times with large corporations. And that's why I'm on the side of it, just trying to help people because I feel like there is a need, especially in this governmental industry, because as we talked about, the acronyms are insane. ⁓ The workload is not light. It's very hard. ⁓ And we're just here to help people at end of the day. Perry: Yeah. It sounds so daunting. What what's the ultimate reward on this? I mean, like I've I've ended up on flights where I've talked to folks that live near San Antonio. So I fly out of an area that has a lot of folks that are doing work ⁓ for the federal government. and I've had points in time where people are like, ⁓ provide toilet paper. Like that's that's what my business does, right? We don't make it. you know, we source it and then we make sure it gets in the right place at the right time. ⁓ and then I've had, you know, all the way through to to places where you're talking to folks that are, you know, ⁓ on micronuclear reactors to power army data centers, right? So there's a vast array, and I've got to imagine there's a lot of of different size opportunities. When people are trying to understand, like what's the what is it that I get for putting in all this work for engaging someone like yourself. or going through all these different operating tasks, ⁓ where where do you see that the the financial reward for their business ends up being? Lori Crooks: It's tough to say. always say compliance, unfortunately, is not a ⁓ cost center. But if you have compliance done and is done correctly and it meets the right standards, you're not only going to win more business because people will trust the product because it's gone through that third party audit. ⁓ It's listed on the FedRAMP marketplace. That means it's been validated. But also we're hoping by putting all this in place, you're reducing your risk of breaches, ⁓ business continuity issues, insider threat issues, like we talked about. only is it going to be a financial gain for working with the governmental agencies, but it's lowering your risk for some of those other things that could happen if it wasn't in place, which is hard to justify from a cost perspective. But when you see like the average cost of a breach, like that Perry: Yeah. Uh-huh. Lori Crooks: puts things in perspective, knowing as part of this, you have to have an incident response plan. You have to have all these controls in place to help you through that. Perry: That's really yeah, it's really helpful. I think to think so is as much as anything else, it's you know, by taking all these steps, you're really talking about a way to run your business in a more efficient manner. ⁓ you're talking about a way to mitigate against different types of risks and threats. ⁓ and and then you're creating resilience, right, with the capability to respond because you're you're thinking through all of the different types of of issues that can arise and and how you might respond to them. Lori Crooks: Correct. Yeah, it's a huge benefit. I don't think a lot of people realize it's definitely more than just selling to the government. It's protecting your organization, protecting the data of your customers. a breach does happen, ⁓ image is a huge thing ⁓ you could lose customers as part of it. So ⁓ I said, it really comes down to kind of some of that risk reduction as well ⁓ figuring out where that is as part of it. And I feel like it gives people a little bit more peace of mind to you, especially within the organization saying, hey, we've gone through this. Again, just because you've gone through it once doesn't mean that, you know, it's always going to be correct because you have to do that continuous monitoring. But it means that you have good controls in place. They're solid. They've been vetted. And now you just need to keep them up, which is the easier part than actually putting them in place. Perry: It's yeah. Yeah, it's it's ⁓ it's easier maybe to get it to that point. I guess the the the other question I've had people bringing up lately is is how much should they expect that the standards are going to change over time? So just kinda dialing into ⁓ you know what AI is doing to impact some well the you know there's there's not as many AI standards out there that are independent today, right? There's an ISO standard for it. We're you know starting to see a little bit more, but the amount of adoption of AI that's occurring seems to be speeding past the number of ⁓ compliance standards that are are that are coming out that are guiding people on on what to do. Are you are you seeing that there's likely to be a significant number of changes Bryan Jenkins: Please. Perry: changes in a lot of the different compliance standards that are out there to address the ever-changing environment that AI is presenting us with as we wake up each day. Lori Crooks: Yes and no. As we all know, the problem with government is things move very slowly. So being able to modify a big standard like INISI 153, it takes years. They're only on revision five and the standards been around for, I don't even know, 20, 30 years now. So of the bigger standards, ⁓ they're going to change ⁓ as as unfortunately the environment technology is. ⁓ Bryan Jenkins: Yeah. Lori Crooks: But there are slowly more standards. NIST has an AI risk management framework out there. And I saw recently that the DoD is also trying to implement some AI controls within their latest CMMC kind of framework. So they're adding different controls. Bryan Jenkins: That's Yeah. Perry: Mm-hmm. Lori Crooks: So what we might see, and again, I'm not an authority on this, but what you might see is more of the federal agencies requiring it themselves outside of the actual frameworks until the frameworks catch up. And even then it's going to be a little time and then it's usually once a framework's done, they'll draft it and then they have to open for public comment. And then, you know, it takes a while. So 853 rev six is probably, you know, at least another year or two away from being published, which might include AI and then unfortunately by the time it comes out, AI might have changed again. So yeah. Perry: Yeah, be old. Bryan Jenkins: Yeah. Perry: So we can see that the standards themselves are not likely to change all that quickly, but there might be additional flow-down requirements that will come in the contracts themselves, trying to address some of the different risks or requirements that ⁓ government or others see are necessary in order to provide services. Lori Crooks: Yes, agreed. And that's what I'm thinking, like I said, with DOD, they're kind of doing that. know, GSA, they have their own kind of framework as well. So it's probably going to be flowed down, like you said, either through contracts or, you know, through these different agencies. Perry: Bryan, I'll I'll pass over to you again. Bryan Jenkins: Yeah. My last question, Lori, is you you mean you've been doing this for ten years. A lot has changed. I mean, what do you think's gonna change over next five years? Or maybe that's too long. What do you think's gonna change over the next Perry: Yeah. Lori Crooks: I was going to say five years is tough. Yeah, yeah, exactly. No, it's going to change a lot. It's good and bad from a cybersecurity and compliance perspective because we're able to, on the good side, we're able to detect a lot more of those threats. We're able to look at them a little bit more, analyze them, figure out where the threats are quicker. Bryan Jenkins: I used to like we might be on Mars at that point. I don't know. Lori Crooks: Opposite side of that is also the bad actors, the hackers are also using AI to attack. So it's ⁓ to be changing just kind of that perspective. But I also think from a compliance standard, a lot of the tools that we're going to use, they're going to start using more of the AI to analyze that evidence and help write those policies and procedures. ⁓ So means my job ⁓ is to pivot a lot, I think within the next couple of years as well. ⁓ And so that's really you know, with Cadra we're kind of figuring out ourselves as like, hey, how do we pivot with the changing environment and what AI is going to be doing in the future around compliance? I think there's a lot of change to come. And it's just a matter of finding our way through it and finding the next best place to land and figure out how we can help our customers through the process as well. Bryan Jenkins: Very much there. Perry: It is a great answer. I love it. I've got one final one for you on my side. ⁓ if you were going to ⁓ you know If let's say that you're gonna give your your best advice to a new company that is thinking about like, you know, should I should I go down this path, right? So I'm gonna sell a product, we're gonna have it to where it's subject to different types of compliance requirements either way. should we be thinking about ⁓ you know adding the government as an additional pathway with all of the work ⁓ when the company's still at an early stage, small level with not that many resources. What's your what's your best guidance at that point when somebody's at that point where they're kind of the the split in the road or the fork in the road where they can decide to to add this additional set of what seems like it's very, you know, you know, complex and challenging aspects of of operating the business. ⁓ but then there's so many things that you mentioned that are secondary benefits that come from doing it as well. How do you guide folks like that? Lori Crooks: say no matter what, you should have some sort of compliance security framework for the organization. Like I said, NIST has some great baseline ones. And if you start there, those actually translate very nicely to some of the larger ones. But you want to make sure your basic cybersecurity controls are in place. You want to make sure access controls in place. You want to make sure things are encrypted properly. As long as you're starting to protect the data when you're building that organization, that's really going to help you down the line whether you go for a governmental contract or not, because it's going to keep your customers' data secure one way or the other. And I'm happy to talk to customers a little bit more too, as they're kind of maybe at that path and trying to decide ⁓ they want to go. But long term, you need cybersecurity, you need compliance, no matter what you're doing, because it is going to protect your data. It's going to protect your customers' data. It's going to protect your information. And it's hopefully going to lower the risk of some of the things that we had talked about, ⁓ matter what path they choose. Perry: Mm-hmm. We usually end with with one part which is just you being able to, you know, kind of throw any piece of information that you wanna share with ⁓ you know folks that would be, you know, watching this. so it's it's ⁓ yeah, a a free one for you to share any any ⁓ guidance, ideas, pitch, ⁓ you wanna do. ⁓ and yeah. Lori Crooks: Man, that's tough. That's probably the toughest question I've had all day. Don't leave it wide open for me. Now you're putting me on the spot. Perry: Yeah. Bryan Jenkins: the best one is probably to remind people where to find you again because I'm sure now they're even more likely to do that. Yeah. Lori Crooks: Yes. Perfect, thank you. They can find me at cadra.com, C-A-D-R-A.com, or LinkedIn, Lori Crooks, and or cadra.com. They kind of post similar right now. ⁓ Or like I said, you can email me directly if you have questions. I'm happy to get on the phone with anybody too. If you email me, there's a link in my signature that has time to book with me to go through any questions that you might have. Again, I love helping people, love helping people. So that's really why I started this business and why we're looking to help others in the space. Because as we see it, it's not easy, it's complicated. Bryan Jenkins: And that's why it was a pleasure to have you on. So thank you so much. Perry: Yeah. Yeah. Folks, yeah, Lori Crooks, CEO, an entrepreneur, ⁓ you know, incredible business with Cadra, right? If you're if you're in the space where you need somebody to help advise you on cybersecurity compliance, on you know, government contracting, how to get into that process, ⁓ definitely you know look to Lori and and her and her team. ⁓ it's it's ⁓ it's a very, very, very, very, very difficult process to do on your own. Lori Crooks: Thank you. Perry: speak from first hand experience, don't recommend it. Do recommend working with an expert like Lori and and her team at Cadra. So thanks all so much. Lori Crooks: Thanks Perry, thanks Bryan. Bryan Jenkins: Thanks, Lori