Organizational Security Competencies and Cybersecurity Workforce Development (Donaven Haderlie)

there you go welcome everyone my name is shane staley and i'm an opportunity strategic lead with the national homeland security training office here at iowa national laboratory in iowa falls coming to you in sunny idaho falls this morning hope your sessions are going well today we're going to be talking about the organizational security cyber security company health and maturity progression model i know that's a mouthful but hopefully by the time we're done today you'll know a little bit more than you did before this model is called cyber champ why is why now by cyber champ clear educational training and learning pathways uh do not exist to form a structured cyber workforce to realize organizational security goals

and the threat landscape is ever changing and so having an ever competent cyber auditing workforce is difficult cyberchamp actually helps us take the vulnerabilities of our organization and help to solve those and become more competent by tying it directly to the competency health of individual roles within the organization and the cyber champ model provides an organization the ability to build these customized and clear educational training learning pathways which help us achieve our organizational security goals in this ever changing threat landscape this is the model it's a customized self-help solution for industry academia and private sector and basically what we do is we actually go and train a team of individuals within that organization to be able to

form this model within that company for business um the idea here is to be able to understand the cybersecurity education gaps and then target operation readiness improvements around the competencies of the individuals within the organization um a lot of organizations sometimes aren't sure where to start or how to improve security uh they might lack an organized security workforce structure sometimes it's very difficult to understand security competency gaps and oftentimes if you're in a cyber role or security role it's hard to justify training and so it's really important to be able to develop your individuals in security and when you have that conversation with management sometimes it's already thought that my security is an overhead unit anyway why

would i spend more money there so the cyber champ model can be applied to all roles in organization to help us actually build that competency and provide direct roi to the business from a value proposition standpoint we actually help establish organizational baselines where individuals become competent and stay competent and then the way that the model works is we actually build a roadmap for improving that security posture we help the company through the self-discovery process of how to establish an organized organization-wide cyber duty workforce profile and then in the end

security applicants are not qualified local levels training providers industry and government government and the pipeline fulfillment really needs to come from the current workforce within an organization that future workforce students veterans career changers and so on this is actually a picture of the model once again i think i showed it earlier but here is an actually the question we want to talk about or really consider what's new and novel about this model and compared to other models and quite frankly i'll tell you not a lot however what is unique is that the concepts that the model deploys are generally not found under one roof to be able to get to this competency area so on the left you

actually have specific measurements for the security state of organization so you have security and cyber security measurements and then you create a workforce profile so you have workforce development on this right-hand side then you go into specific copies of individuals and then we combine that with instructional design techniques and and training uh such as blooms taxonomy and progressive learning and those type of items all in one model so that basically you can help your organization really understand where you are and build to get better this next slide really focuses on the fact that workforce competency health in this lower right hand corner that really goes to the underside of the stair steps here is directly linked to the

organizational security operational readiness which is the top set of those stair steps and as you go up these stair steps we realize that each level of competency health directly impacts security operational readiness now in most cases we would really hope that if we were doing this we would actually improve right however much like an individual if you don't pay attention to your health and actually do some things about it you can decline in health and that actually will impact in you know impact in this case security operation readiness of the organization and so it's important to invest in competency the organization so that the workforce council health can actually always directly positively impact your security

operation readiness the model itself has it's a process cycle as anything else in security it's continuous in nature but it has five phases and phase one we analyze initially uh that organizational security maturity status and then we help the organization understand to design a workforce structure around a cyber ready workforce then we actually talk in terms of accomplishing profile and we talk in terms of where they're at within their roles and within competencies and we use the nist nice framework in this nice cybersecurity workforce framework and um a another framework that i know has created which is an industrial cybersecurity framework so this model really spans the entire gamut of security itot cyber physical it isn't just

limited um to any one area within security um and that's what's really important about this competency profile and then from that net from phase three we actually go into phase four where we work with this organization utilizing a task survey analysis which i'll show you here in a minute where we develop and implement or the actual organization develops and implements learning paths and training plans and think of a learning path as that career perspective so we're going to give you a big old blob of training courses but then you can sit knee to knee with an individual and pick out from that learning path kind of a career perspective what that one to two year tactical

training plan looks like to be able to properly help your individual become and remain competent and also get the maximum roi return on investment for the organization and then once you actually develop these training plans it's up to the organization to commit and actually take the training and or do the ojt that's prescribed and at some interval of time you want to come back around and evaluate that success so we would be able to do phase five maybe after a year maybe after a year and a half whatever the company thinks is it makes sense to be able to see if now after we've improved the competency health of our organization has there been some appreciable uh

security gain specifically in this realm a cyber security gain in what we're doing if anyone has ever actually created a course using the adi model i like to show this slide because sometimes people get really caught up in the colors and the lines and the rows and and all the moving pieces but really all we're doing is like the way you would create a course so the addi process is just basically uh you know those five letters we analyze current state we designed that from that current state we develop uh you know lesson plans and learning we implement that course and then we come back around and evaluate the effectiveness of that course that's really all we're doing for the

workforce development in an organization surrounding organizational security we're just taking uh that model that you do for a single course and really just helping an organization realize that within workforce development from analyze to evaluation so when we talk about cyber security operation readiness um it's important to understand this is a workforce development model and so i'm not trying to we're not trying with the model to upstage or supplant any other current measurement processes there's plenty of them out there this is also not what you would consider bits and bytes assessment what we are doing is we're actually helping an organization understand where they sit in some very important realms uh and you can see them across the top

there we'll talk about them a little bit later but where are they at in their security program maturity um what type of policy control rigor and process control rigor do they observe what practices are observed in the organization uh from a security and cybersecurity perspective and then what policy and artifacts are actually in place and so we give them as you can see here this kind of current progress look with the green area and then specific areas of improvement that we can then attach directly to the company and you'll see competency needs of the organization and we'll show you that a little bit later but let's ask two quick questions here on this part of the model

so what's the current state of the organization towards operational readiness um if something happened are you ready right that that cyber security notion that um we don't know when it's going to happen but it's not a fact that uh and if it's probably when and then what areas of them what areas of improvement are identified based on that current state and we talk about cyber security here in the question but really uh more and more security is is is coming towards um you know cyber physical itot the convergence for all of these and so the model helps in all realms there on the second side of the model on the right side of the model

we talk in terms of building that workforce structure and we'll show you how we do that but basically let's ask a couple of questions on this side and that is based on the areas of improvement identified how do organizational cyber security companies competencies align and then based on those competency gaps what learning and training is needed across the organization to establish build and then continue to improve upon the security program in place and so those are the questions that the model really helps to to solve for an organization that that and and these tie directly into the pipeline we talked about those gaps and we identify that you know we can't go out and hire 30 contractors

so i need to really develop my current workforce but if i understand my workforce structure i can also implement contractors where needed or understand where to insert apprenticeships and those types of things so there's two sides of this model and we talked about them as sections there they span together they're connected together by the rows called levels so section one on the left is this measurement area of operational readiness and on the right we have competency health level now if i actually compare these and i say in my first level if i was unprepared in operational readiness that probably means i'm at a very fundamental level of actually understanding uh are actually in competency health

and so as i go if as i increase in competency health level i should see hopefully an appreciable gain in my operation by linking it directly to uh improving the individuals in my organization which is sometimes lost uh i think within this uh fight i'll call it with cyber security and security um as far as the measurement analysis um like i said as far as new and novel we use the cyber uh not a whole lot there right we use the cybersecurity framework maturity uh that came out in 2018 there's also a maturity tool that goes with that for the process and policy rigor we use the uh nist the cyber security the the niceness cybersecurity workforce

framework and i'll tell you how we use those we use the tasks from there and we use the cmmc model for the practices in this current mapping right now as we speak we're actually mapping four other primary main models and so it's important to understand that that the cyber champ model doesn't rise and fall on just the practices in cmmc there are many uh practices that you can map this to we've started c2m2 you can do nist 853 newark sip um 6243 whatever standard you feel like you want to map the practices to to be able to measure this for your organization the model can implement that um so let's go specifically through some just a quick rundown

of of what we're actually doing we measure this operational readiness area so first of all we're going to take a look at the the nest cybersecurity framework for improving critical infrastructure document and it has seven steps in there and we're just going to talk about and in general terms we ask questions we have a master template survey that we use it's kind of a really big spreadsheet with scoring in the background and we just go through and ask questions and we go through each level of this measurement in the same way and so first we're going to measure this program level and then we'll take a look at your policy in your policy rigor uh what kind of change control is in

place how often do you actually implement the policy is it currently up to date and then we take a look at the process control um you know the change configuration management and specifically uh when we talk about processes it's really how you're implementing the practice practices and so we take a look at the practices in this case the 171 practices for cmmc and we we try and establish from basic cyber hygiene to advanced or progressive um how is the company doing how is the organization doing in and actually establishing these practices and then finally we take a look at uh 24 policies um that really uh span maturity level one through maturity level five and we've mapped that to the practices

and we say okay as an organization do you have an access control policy do you have remote access control policy and we talk in terms of where those sit um so there's a lot of opportunity here to understand where they are and then in the end we can really get this state at the bottom that's called security maturity so how does that look kind of as a as a as a pass we're really just saying okay you know in measure one we were this far and so we're kind of accomplished at that level and then we can see the area of improvement so that's that's why we're doing this right we're trying to understand where do we need to improve and how can

we get better and once again it's very important to understand here this is not regulatory or compliance in nature this is a self-help tool for the organization uh to be able to understand how to get better and improve so we're going to go down through each one of these areas and measure each one and then we get kind of with the this is all qualitative data but we can provide a quantitative score and so each block in the model gets a four percent if accomplished and really kind of a zero percent if there's areas for improvement and we can add that up across the rows that we're measuring and get it get a a cumulative total in

this case of 52 percent which is in that reactive range so based on the information we've measured we can say this organization is reactive uh from a operational readiness standpoint now then we go into section two and let's talk about well now that we know that what do we need to do to improve or get better well let's see who's first of all responsible for getting better so what does the workforce look like and who's supposed to be doing something and then what's the company level the individuals that are assigned and can they do it and are they capable and if not how can we help them be more capable and then what training and learning

paths are needed if they need help now and in the future so let's take a look at that specifically and we're going to start with utilizing some diagrams that i've drawn from an old model that i pulled out of the shelf uh the sans ics gcsp job role comp c level recommendation diagram and uh although this isn't like theirs i did use the information from theirs to build this and they have four functions and i call these actually cyber council functions i actually added a fifth function and implement so the four original ones were awareness support maintain a design and i added a fifth one called implement now the key here is that they're mapped

to job role groupings and this is how we start to structure an organization on who's responsible for these cyber council functions um so from and how we get there so basically when i take this mapping i can say that pretty much any job role in my organization needs awareness but as i go up on the right you can see that the job role groupings become less which you would think makes total sense because now the abilities and these uh actually become more complex and harder to achieve so that's the first step is to create the cyber company functions and the job role groupings then we take the organizational look at this and the top row is job role groupings

and then the columns are the job roles associated with each job role grouping and we've just finished modeling this with a statewide energy provider and it was very interesting because when we got done they had all of their roles in the organization that had really any security or cybersecurity aspect to it and we were able to map them to this so so that we could be able to understand their job structure well that's great uh and all but why do we do it well let's go to the next step and we now take the operational readiness the cyber security operation radium risk maturity level and from the left side of the model and then we've mapped that to the five

cyber security company functions and then we have a conversation or or the organization has self-discovery to say okay based on our job role groupings what security company function level do they need which is directly related to that maturity level and operational readiness and so these x's represent the level of training needed by anyone in those job role groupings and so you can see here that engineering communications all the way through from awareness to design and on and on all the way through here this is a very important aspect because the next step we're going to do is actually take a look at the areas of improvement and then who's responsible for those areas of improvement within the organization

so before we showed you one level and now we actually have this this whole matrix now where we've measured uh each area and we've come up with improvement areas where the organization may lack some competencies now the next thing we're going to do is let's because we've now overlaid who's responsible for the competency and how that links to operation readiness i can now specifically show or actually we've specifically identified which job row groupings are responsible for those issues so if you look at the the intersection of maintain and policy i have operations technology i t cyber security engineering i t staff job role groups responsible so somebody in those job role groupings if we have

deficiencies here and notice since the green check mark is to the left of my circle we know that this is in an area of improvement and so in this specific picture any block that has names in there i've actually overlaid the job role i actually then can go and say okay instead of measuring across in rows let's take a look at the competencies by function and the column and so i do the same type of measurement and i come up with a compsc health level and in this case as you would expect as i mentioned earlier the security operational readiness of the organization is directly linked to the county health level and in this case they're reactive in

operation readiness and then they are intermediate and their company health level with specific areas of improvement identified now that we've actually got the organizational understanding at a high level let's now start to focus on individuals and the way we do that is we actually created a task analysis survey and this task analysis survey consists of the one thousand five tasks from the niceness cybersecurity workforce framework and 45 tasks from an inl model which is industrial cybersecurity based with 45 tasks in five roles so what we do is we actually neck down and i'm actually going to show you the task analysis survey here in a minute we actually necked down from the seven categories of

of the niceness cybersecurity workforce framework and an industrial sub security category added by inl's expertise and research and actually quite frankly if you're familiar with the gentleman by the name of sean mcbride who's done a lot of research in this area i'm a joint appointment at iowa state university and then we've worked really hard on really making this where an organization organization can use this for their benefit so we've mapped the industrial cyber security site in here which generally when you talk about the niceness cybersecurity workforce framework it's an it model not really known for industrial cybersecurity however what we do is we go from the categories the specialties to the roles and that next down this

task list where an individual can take a survey on what they actually perform in their job every day and so you might ask the question well yeah but the niceness the subsequent workforce framework has tasks and knowledge and skills and of course if you're familiar with the newest version they've left off abilities but the old one has abilities well that's true but it's really hard for me to ascertain knowledge skill and ability but i can talk in direct terms when i really ask you what you do every day and so that's really why we chose tasks as this foundation for them so i go through this i do the task analysis survey and the key here is

if i go to a business anywhere in the industry academia government uh you know and i ask what is the name of your role let's say cyber analyst is the name of my role or the name of my job position that's not gonna necessarily match to the uh niceness cybersecurity workforce framework roles nor is it going to match to maybe something that i can actually attribute to training so the first thing we're going to do is we're going to take whatever role they have whatever job they have and map it to a role or roles within the niceness framework and this allows us to target specifically training because a lot of organizations have already mapped training the

niceness framework so if i take a look at this pie chart on the left and i have in this case have selected 24 tasks um i can actually say from that tasking that about 60 of of what this individual does every day is really in two roles a program manager role and a database administrator role noting that most of us don't really have always a succinct role and if you want to talk in terms of creating a training plan that makes sense for helping the individual become more competent but more importantly in the case of business provides direct impact to the roi let's make sure that the training is pointing at roles that directly impact the business because i'm saying

this is what i do every day so there's two aspects there are ways to look at this the left pie chart is tasking overall the right pie chart is actually tasks within that area so as you can see there were 24 for tasks that i selected 30 of those were in database administrator and in program manager and 14 of the 24 as you can see in that little purple area were tasks within database administration and if i look down below i can actually see in this program management area that of the 24 that i chose that a smaller portion was in that kind of orangish area that's program manager now this is important because i can

actually now target the specific training so we've got the roles we understand how to target that now let's talk about competency now before i mention in the background we've taken every task and mapped it to the blooms and if i didn't mention that i i just mentioned it sorry so all those tasks the 1050 tasks are mapped to bloom's wheel and if you're not familiar with bloom's will basically this is a taxonomy of progressive learning uh with active words right and because this nice uh cybersecurity framework is kind of has active words if you take that and then you say where's the competency match so we have five cyber security company functions and this individual really their

targeted training should be at this between maintain and design of those five levels so i have a role to focus on or roles and now i can focus on a competency that will also provide direct impact for the individual and the business so somewhere in that top tier is where this training should be focused for this individual so you can see here that uh 56 percent in design and 35 percent and maintained so almost 90 percent of this individual's role is in that upper quadrant of competency so that really helps us align that now here's the the fun part now that i know all this i have a targeted role i have competency but what training is

needed okay let's take a look at that so what we've done here at i know with this model is we've taken all trainings out there um and we're still building this database obviously but imagine that someone from regional or local perspective uh even within the state of idaho says i want to be able to get training in this specific area but that's offered by say bsu or issue assure you a buyer may be one of the six uh two-year colleges right all this is sitting in this database and then a person goes i need to be trained at the design level on this right side of this this screen here we we determined already this

person's targeted competency is designed well i've got a number of courses and this list is kind of cut off let's say i've got 30 courses now that i can choose from this is from isa this is from sans this might be from an academic institution or another training provider it could be for my nl right but now i can specifically sit down with this individual need a knee and say over the next two years what makes sense for your training path to be able to get where you need to go and so once again this is a self-help model for the organization to do this with individuals so some key aspects to this conversation is

it's helping the individual it's helping the business but you can also save off this information and i'm going to go through the task analysis survey in a minute saved off in a json file that you can pull back in and have specific discussion so in summary the model measures current state we go through a competency uh you know these phases two through four how do we help the organization uh understand who's responsible how do we target in on those competencies and then at some interval we come back around and we re-measure that state ideally we've this investment right we can now show roi when we get in the conference human boardroom and have this conversation

in our roles in security and cyber security we can now show appreciable gain in security by the investment made in competencies of our individuals um and so results for for government industry uh partners and and uh you know specifically is we can provide an organizational security level metric you can talk to and ideally you now have a workforce profile and think in terms of we do this across 20 organizations in aviation or 20 organizations the energy sector we can come up with industry and sector profiles or we could step into an organization or in a business and help them already with some information that's coming from other organizations to make their job easier we provide the competency health metric

we can provide learning plans that you discover by job role which basically is you know each individual and that competency health and how to increase the organization security through those individuals and then clearly there are self-help continuum improvement mechanisms all throughout the model and they're kind of listed here but we've talked a lot those about those already from an academic and training partner perspective what does the model provide potentially um let's talk in terms of academic institutions if you're a bsu or u of i or isu um you know maybe uh you know in the state of idaho we're already going to meet with the workforce development council here in the next coming weeks and

and starting to build some of these things how do we actually start to target uh you know training and provide specific training to those businesses and industries and then feed that back into our academic and training partners and and part of this issue really is how do we how do we develop a cyber ready workforce um right now if you have someone graduate and this is not a hit on any institution at all but if someone graduates with a cyber security degree they're probably still two maybe one or two years from being really helpful to that organization so if we can actually build this competency within the structure of of of how we get there and we talk in

terms of the pipeline imagine the model not just being for organization but the model being for how we actually build this we can actually come back around and say okay when someone graduates uh from a two-year or from a four-year they're cyber ready because we've actually built that competency into that and the industry's feeding that back to academia and academia is better informed and we can actually you know from a training provider academic perspective we can build together and make sure that when we train this that we're building in soft skills and hard skills and uh you know testing which is also part of the model that i haven't really gone into but the key here is it's all about

competency and helping the individual because if the individual is competent then wherever they work the organization will succeed and overall we're going to raise that cyber security and security bar so that's the model now what i'd like to do is i'm going to stop sharing this presentation and i'd like to take a few minutes to go into the task analysis survey and i think that'll leave us plenty of time for questions so one second while i stop this and let me share out the survey here

so what you have on your screen is the cyber champ task analysis survey and what we're going to do is we're actually going to um hold on i need to my next is not view i have to go next and move back over um yeah i think i moved that screen so what we're going to do is we're going to take a look at an individual's position so let's say that i'm a cyber analyst and maybe i type in my job description whatever that job description is now the key here is i can actually choose a sector and this sector can be you know whatever it is so let's say that my sector is i'll just say in this case that i'm in

the energy sector and that i actually of the dhs critical functions maybe my main function is that i actually um distribute and let's say i transmit electricity so that's just some data capture we can do as we move forward to to help move this but that's not really the main point but some things are in the background so now i see the seven categories from the nicest subsequent workforce framework and the eighth category industrial cybersecurity which we've added uh with the inl's background and expertise says uh is that's really what we do here and one of the main things we do here so let's say from a cyber analyst perspective that i need to analyze and collect and operate

and investigate and i have some industrial cyber security components and this model is still uh working through so industrial cybersecurity we're still kind of working that so then i go there um let's say maybe i also operate and maintain so i've i've selected my category now for specialty areas i actually go through here and say okay based on that my specialty areas well systems analysis definitely that's one of my areas uh let's say knowledge management and now let's talk about this analysis that i do let's just say for instance in this case that i do almost all of these and then i i speci i i specifically work in collection operations maybe cyber operations and then i have

some cyber investigation uh and digital forensics uh work and then uh this industrial cyber security now i'm gonna go into uh specific roles so based on that information so far what role would i most align with well system security analyst threat morning analyst exploitation analyst mission assessment analysts i'll say all source collection and then uh maybe i do some cyber crime cyber defense forensics and i do some ics analysis uh and maybe every now and then i have to do some technician work but for now i'll take that off so what i've got here is i've got these rolls picked now what i've done is by by selecting so far all i've done is necked down to this task list

so now what i'm going to do is it's going to take probably an hour or so i'm going to go through this and i'm just going to randomly pick now ideally you would be reading these and see you know what do i actually do in my daily job right so i'm taking these um specific tasks and i'm selecting them based on what i normally do as part of my role and let's say that um you know i'm actually really understanding uh you know i'm actually seeing what i do on my daily dish in my day so i'm going through this list and like i said i'm just randomly picking here and the other thing that i'm going to

mention here in a second is we actually have an opportunity for you to actually really create custom tasks as well and i'll show you that in the next selection so like i said this is going to take a while for you to actually go through based on what you've chosen and this is going to be even more difficult depending on how long the individuals be in the organization and how many roles they're assigned when we did this when we validated this model here with this organization in idaho they had an engineer with nine roles and so this was a very interesting discovery for them so i hit next let's say that i need to actually talk

in terms of a task that wasn't in it that's really important for me i can add that task and we can build this task database out and make it longer now i'm going to hit next and what i'm going to see here is based on all that information i chose this is a really tough one right because look at all the things this individual does and so this is another thing that's really important for an organization to understand when it comes to security and cyber security how much is your person doing and are they assigned too much and really can you ever train them in a millennia based on all the roles you assign them

so the key here is to have a specific discussion now i chose 69 tasks and of those tasks i look at this pie chart and although it's broken out pretty good um this pie on the left is really confusing right this is where the pie on the right comes in so based on the 69 tasks i can see in this purple here that if i go down or if i chose a system security analyst that's probably a large portion what i need to focus on when i establish my training plan right and it kind of gets lost in the pie chart over here this pie chart on the left really becomes that discussion on wow does this person have too much on

their plate the one on the right can become really okay let's talk in terms of where we need to narrow in on training right so where am i going to get the best bang for my buck on helping this individual become better it's in the system security analyst and then this little aqua color one right which even over here shows a little bit less right so the 69 tasks 20 of them were in the x point exploitation analysis area and 10 we're in the system security analysis area so 30 of the 69 tasks basically 50 of my role were in two of these in these two roles so two different really important ways to look at the

information now then what competency should i focus on i now want to take a look at now that i know this information where should my target be well based on this individual sixty percent of their role is right in the middle you've got awareness support maintain implement design so this individual pretty much sixty percent ought to be targeted in that middle tier um now then what's the most important thing now that i know all this information how can i help this person become competent and remain competent well let's take a look at these training levels so i've got awareness i've got support i've got maintained i've got implement i've got design but we've already established that sixty percent of this

person role is in this maintain area and for you know for brevity's sake uh not all the courses are listed here but basically sixty percent of this individual's tasking that this company has them doing every day is in this maintain area then i probably ought to choose courses from this area to specifically help them become better and provide direct roi impact to the business i can now sit down as a manager with this individual and select a training course that makes sense a tactical training plan one to two years out to say what courses do i need to take that can impact um you know this individual uh help them grow help the organization get better

now then let's take a look at another aspect that's really important on this top level here um i can actually go into data and i can export this file out i'm going to do that and it exports out as a json file now after i export it out i can go into my downloads in this case i can pull it back in at any time within the year or year and a half whatever open it back up i've got all the data i saw before and now i can sit down with my boss and say you know uh shane i'm not really sure that we do operate maintain uh so in in in this particular role

or maybe uh you know industrial established creatures you can have this conversation remove things and add things right then i can go here and say you know i think we need to take some things off here or maybe add some things and so this is very negotiable now then another cool thing imagine if you wanted to figure out in my company a cyber analyst ought to look like this so you can use this task analysis survey to build that golden child so to speak and you can say oh here's exact things i want to do here's exact training they need and so every single one of your cyber analysts can be compared to that task analysis person or you know the the

the profile you you come up with from there so um that's about where this piece of my presentation ends and i will take questions or maybe you've been answering him in the chat and donovan's been uh answering away yeah stand by shane uh we'll we'll get you the questions hey no worries all right yeah shane also would you please do a quick introduction again i think that the first part of this got cut off so if you could just do that introduction thank you uh yeah sure no problem uh i'm shane staley i work for international laboratory i'm the opportunity strategic lead in the national homeland security training office and we do a lot of workforce development

national nationally and internationally um obviously in the state of idaho and uh and this model um really has been gaining you know national international attention and uh we just finished validating the model with uh and so we're looking to get get out get it out in idaho and help where we can all right thanks for that shane um are you seeing any questions in there donovan if so please let us know

yeah question uh so will this help a person or an organization to keep track of training and competency of the person and organization yes uh that's a great point we're actually working on that tracking mechanism as we speak we're actually working with a organization called nights as in the knights of the round table they actually have hard skills testing soft skills testing and the tracking mechanism really from k through career so that that tracking mechanism really would would not necessarily uh you know you linking into the company but ideally um this would allow you to be able to track those things well that sounds great uh how could someone find more information on the cyber nights

cyberknights.us all one word

all right very good looking for more questions

all right we did have a question that didn't come through the normal channels but with cmmc how does the framework intertwine with cmmc and also nist procedures so basically uh cmmc has five levels of maturity and so that was kind of an easy one for one of the reasons i've chosen it also if you're following kind of any of the late and breaking government initiatives the idea is that eventually you won't be able to do business with federal government unless you're cmmc certified and so that's the other reason i chosen that model and so basically there's five maturity levels there are a number of practices associated each maturity level and so the way that it links to the model

is we basically provide the measurement back to the organization and saying you observe these numbers of cyber practices then you're probably your cyber hygiene is at this level and that's kind of how that links and as i mentioned earlier we're actually working on on that same type of accesses database with c2m2 hipaa and a couple of others so that these can be used across sectors and industries all right very good and related to that question i see um how does someone get started if they are a small business and want to do business with federal government into cmmc if they're at a base beginning level that's outside of my realm certainly we can certainly help you uh

from the standpoint of utilizing the model we'd be happy to provide a presentation to your organization uh actually we can introduce you to cmmc and what those levels are you can see how you match up and then potentially generally if you're not familiar with the way that federal government works from a smaller business perspective there's a whole registration process that takes a while before you can get on that database right but and they're not there yet so sorry i'm not too too experienced in that realm but i do know that uh i have had some individuals and organizations that i've known that have uh have wanted to get on the federal government registry and it's a

uh it's a laborious task but i think eventually cmmc will be a huge component of that yeah absolutely

right i'm not seeing any other questions um actually there is one more

so question of we also have another question on youtube yeah go ahead oh there is okay so will this be available anywhere such as online so someone to track their competency and to figure out what training to go get next that's a good question uh yeah great question and we're working towards that end um right now we're actually working uh the question in youtube is will this hold on hold on let me answer this one uh unless that's the same question i don't know i think it's the same one oh okay sir um so basically the idea is we're actually building an app we'd like to make this an app right but it's taken us some time and so

we really feel like we need to um develop this a little bit more on our side um a little insider baseball we we actually are working some army uh sorry aviation cyber initiative health care and public health care sector and uh work we hope in the near future help validate the modern model get a little bit more succinct and then ideally we would like to have this you know imagine this being a handheld app where you can actually do that so it's gonna it's a while till we get down the road but to the questions the answering the question specifically yes we we want to make this more and more affordable a lot easier to

use you know the facilitated portion with validating the model took us uh thank you very much covid you know nine months but actually this model if you actually took it um you know now that we've got the processes worked out and there's different things you could probably do this within uh two to three weeks with the right people in the room and you know doing the right steps and right now that would probably be a little bit of inl facilitation but eventually we'd like to make this really more of a self-help type thing with only maybe a one to two day training trainer type of thing and then you're off after the races all right very good and just checking to

see if we have any other questions in the youtube live or any other channels that come in i'll do one last check queen sometimes we get some of these a little bit later here

all right i don't see any others unless donovan if you see any yeah i see i see no further questions all right thank you very much i really appreciate the opportunity um my contact information uh is shane shane.staley inl.gov i am not seeing anything if you all want to reach out to me if you want to know more about the model or if you want just to provide you a deeper dive into the model and how it can help you in your in your role in your organization please reach out we're here to help