Herding Compliance Supply Chain Cats w/ Kellie Tomeo

---

Transcript

Daniel: Hello everybody, and welcome back to That CMMC Show. Today we have a special guest to discuss the ever-challenging topic of supply chain compliance and what this actually looks like — because, guess what, chances are you can’t do the work by yourself. So if you have to be a CMMC cert, people downstream do as well, if they’re going to have access to that same CUI. That’s a big problem, and one that, once a company is certified, you now start thinking about downstream: How do I get my suppliers compliant? How does this work? How do I descope or decontrol CUI downstream? What even is CUI? So many questions. And I’ve brought an expert to the show today. Kellie, thanks for joining us. Please tell the people a little about yourself, and who is Montrose Environmental?

Kellie: I’m Kellie Tomeo. I’m an attorney — been an attorney for what feels like 900 years or so. I started out as a prosecutor, so I’m a former prosecutor — you never really take that hat off. I came from a firm and then was picked up to come in-house, so now I’m senior counsel at Montrose Environmental. I provide support, help, guidance, and a shoulder to cry on regarding all of our federal and federal-like work. Not our entire company does federal work, but we do have some that do — which is why we decided to do an enclave, which we can talk about later. Montrose Environmental is a large company made up of really smart people — engineers, scientists, PhDs, doctors, geologists. We kind of fix the air we breathe, the water we drink, and the soil that feeds us. We fix it all — from bad chemicals and things that are in there — and clean it all up so it can be used in a better way. So that’s what we do.

Daniel: Nice. That’s super cool, because I like all of those things. Big fan of clean soil. Love good food. Love breathing air. Big fan.

Kellie: I’m a big fan too.

Daniel: Big fans. One of the things we’ve talked about pretty frequently — and you had one of the most articulate answers to this — is, what’s a good example of CUI? Because before we get into CMMC and flowdowns and contracts: honestly, people don’t have time to go look at the National Archives CUI Registry, even though that’s the ultimate source of truth. And even if they stumbled upon it, most don’t have the time or capacity to read and understand it, because they don’t have that background. They just want to do their job, and maybe their job requires an engineering drawing, a blueprint, a specification. So when you’re communicating this to the masses from a very simplistic approach, what would be a good example or analogy of what CUI actually is?

Kellie: So for the rest of our discussion, I’d like to use an example of CUI — one I give our folks as well, because it’s hard to read that dang definition of CUI and figure out what the heck it could possibly entail. There are so many myriad possibilities. And when you’re a company like mine — hey, we don’t build rockets — it’s not going to be glaring. There’s not a neon sign with an arrow pointing to all of our CUI to make it easy. And I dare say that’s the majority of folks out there.

So part of my job — I like to consider myself the Jan Brady of my company, because I have to communicate this upstream to the C-suite and the ops personnel, and then communicate it down to the people in the field. So I started using examples like this. Let’s say we’re going to be onsite at a federal facility, and part of our job is to find the underground piping and the underground drinking water lines, or underground utilities, because we have to dig a hole and put a tank there for whatever reason. You want to make sure you’re aware of where all the drinking water lines are — that might be what we’re working on. You want to be aware of all the piping that could take chemicals and chlorine from one place to the officers’ pool, let’s say, that’s next to the hole you’re going to dig. So it’s important for you to know all that. If a bad actor got hold of a drawing, or engineering drawings, or a GIS map, or whatever else you might have, that tells them where the underground drinking water lines of a federal facility are — or the underground dissemination of chlorine to the officers’ pool, which would only take 2.5 minutes to ruin the day of a federal facility and interrupt its normal daily function — that’s probably going to be CUI, so safeguard it.

So I really had to say to our folks: pretend you’re a spy, or you’re in a spy movie. What would a bad actor need to know to disrupt the normal daily function of that federal facility? If the information you have to do your project is on that list, and could be used in that manner, let’s probably assume we’re going to be treating that as CUI.

Daniel: I love that connotation. “If I was a spy” — because every person can imagine that. “I could use this and do something malicious with it.” That’s a really good base understanding, from the higher-ups all the way down the supply chain, because that’s really what “sensitive” is: if a foreign adversary can take this information and weaponize it against a facility, military personnel, whatever it might be. I loved that when you came up with it when we talked last — I was like, we’ve got to share this with the world, because it’s a very articulate way to discern something. Just put on your spy hat.

Kellie: Yes. Because it’s hard for folks to understand. “Listen, we don’t build rockets — so how could digging holes, or whatever the scope of work is, possibly be CUI?” You have to show them it’s really not a reach, not a stretch. You have to put it in ways they can see in their daily work — your particular scope of work under this particular contract — and say, “Here’s what we’d consider CUI.”

Daniel: Now, I’ll say this — it’s probably a lot easier to communicate internally to your frontline people, given the analogies we used. Simpler, knock on wood, to some extent. But people you can’t control, like subcontractors and suppliers — you don’t have any corporate leverage. They don’t know your voice. They don’t know, “Is she telling me the right thing?” They don’t know who you are and your experience in this. So when you look downstream to the supply chain, how are you able to convince them contractually? What are you putting in front of them to make them aware that this is highly sensitive for this type of work? Because you guys work with suppliers and subcontractors probably a lot in commercial, and some of the same people in the defense contracting space. So how do you flag, “Hey, this one’s the CUI one, this one’s not, and this requires the extra protections and this doesn’t”?

Kellie: Great question. When I first came on board, I tried to articulate that your inside attorneys, or the legal team, stick with a project for the life of that project. We may win a five-year contract, but we’re going to be hip to hip for all five years, because every contract is different. Those contracts have flowdowns that are different. Some of the flowdowns may or may not apply, based on whatever amount you were awarded, or whether you’re on-site or off-site, or whatever your scope is. So those ticky-tacky things, which seem small, can impact exactly what gets flowed down to a lower-tier subcontractor.

So what we do is start at the top. Once we get awarded work in any form — we could be the prime, or we could be a subcontractor — wherever that work gets awarded to us, I prepare a contract summary. In that summary, I point out certain clauses located in the contract, and there’s a section for our PMs, a section for HR, a section for safety. Anything that’s going to impact our costing I put in there. But I also put things in about CUI. So anyone can go back and look at that contract summary for any project and know exactly what’s in our contract. The first and most important thing is just making people aware of what’s in the contract. They’re not going to read the 263 pages. I will.

Daniel: They’re not going to read all those flowdowns — a bunch of numbers.

Kellie: Right.

Daniel: I think you’re right. I don’t think people understand, unless you’re in that space, that there are multiple pages of these FAR and DFARS clauses — and how do they know which ones to take seriously? Theoretically they should take them all, but they don’t. You almost have to take a highlighter pen and say, “These are really, really important.”

Kellie: Yes. So here’s where the second half of that comes into play. I’ve been on phone calls with not only our client companies but our lower subcontractors, walking them through: “Hey, based on the scope you’re going to do for us, these things are going to apply, and we’re going to flow these down, and we need to make sure you’re prepared and ready to receive that.” I’ve been on those calls with mom-and-pop-shop subcontractors. I’ve been on those calls with the legal department of a subcontractor. It’s all over the place. And the reason is that no one really knows what’s in their contract. We’ve all seen those flowdown pages come at us like a train, just listing FAR clauses and DFARS clauses. Well, I’ve got news for you — there might also be EPA clauses included. There could be Homeland Security clauses included.

So honestly, we’ve taken the approach that we want to be informative to our lower-tier subs. We’d love to use you again, so we need you to get this. After I do that contract summary, we send out two things. One thing we send to either the awarding KO or the awarding client — whoever has given us that work. We send them a document saying, “Hey, I see these clauses are in here. Based on our scope, we think the following will be CUI.” Or, “Based on our scope, we don’t think there’s going to be any CUI in here.” For example — to your question — we had two awards, same exact scope of work, same equipment, doing the same thing: cleaning some water. One place we were putting it was a federal facility that was going to clean their drinking water — obviously important to keep clean for a federal facility. The second item, a totally separate contract, same stuff, was way out on the back 40, cleaning groundwater. Clearly not the same issue, not the same risk, not the same output. If a bad guy gets hold of that, yeah, they could cause a problem, but it’s not going to do the damage it would if you know where all the underground drinking water lines are.

So we sent two letters. One said, “Hey, we see all these clauses have been included in our contract. We think, based on our scope, the following will be CUI” — and we list it out: engineering drawings, underground utility lines, GIS maps. We list everything we can think of, because I get on the phone with a PM and we list them, and say, “If you think there’s more, let us know. If you disagree, let us know.” There’s a reason for this letter that I’ll say in a second.

Daniel: I’m very excited to get to the punch line.

Kellie: Yeah. The next letter said, “Hey, we see these clauses in the contract — same clauses — but we don’t think we’re going to be doing anything that would be considered CUI. Please let us know if you disagree.” So that is literally what we’ve been doing for a couple of years, because it’s more of a CYA measure, to be honest, on our side — throwing the ball back in their court. The responses to these letters have been all over the place, but it’s just to make sure we’re on the same page. We also know that agencies haven’t really caught up with us in all our knowledge of CUI, such as it is — they’re not attending all the Jacob Horn videos, you know. There’s a knowledge gap. So we started doing this a number of years ago, just to CYA, to make sure we acknowledge those clauses are in there, but we think this, and if you disagree, let us know.

Daniel: Do you feel that overall that’s been well received? Do you ever get pushback on that, or is it “thank you for clarifying this,” thumbs up, go forth and prosper? Is the contracting officer open to that? Because a lot of people feel hesitant talking back — but it sounds like, by building this bridge, you’re basically low-key doing their job for them, saying “these things are CUI, can you just give me a thumbs up?” and they’re like, “Yes, thank you for doing that for me.”

Kellie: That’s exactly the response. There was the worry early on that I didn’t want to tick off our KOs or our COR — I don’t want to tick them off by saying, “Hey, we see these, and here’s our opinion about what you just awarded us.” But the overwhelming response, especially from the larger primes, has been, “Thank God somebody knows enough to ask this question. Thank God you used all these words correctly in your letter.” Because, listen, the DIB as a whole has been hungry to even get an accolade that we know what CUI is — much less that we know what all the parameters are that we have to comply with. So the overwhelming response has been, “Oh God, thank you for asking.” And we’ve had an opportunity to clarify some CUI expectations and, frankly, to educate — we’ve educated some folks. So it’s been very good. We haven’t gotten any negative response. What we’ll get is just no response sometimes.

Daniel: Oh, interesting.

Kellie: Which is fine. It still was sent. It’s still in their court. I’m cool with that. No response is still a response in my book.

Now, how do I communicate compliance downstream for our subcontractors? We look at their scope and what we need them to do. Part of this has to do with descoping as well — we have to control that CUI going out. If we’re going to use a lab that’s just going to analyze some samples, well, then we’re not going to send them the GIS mapping that tells where all these samples were gathered. It’s just “give me the results from this testing of this sample.” So that’s a little easier to control. Obviously, sometimes you can’t control that as well, but you just need to make sure you’re communicating downstream. The second thing we’ve employed is a vendor letter saying, “Hey, there are these rules. We’re just doing a temp check, if you will, checking where you are on this.” And we started sending this way before that Lockheed post.

Daniel: Oh yeah.

Kellie: That memo stirred up a lot of stuff. I loved that day so much — I’ll be happy to discuss it later. But it’s vindication for people saying, “Hey, I’m not nuts. I’m not your nutty attorney over here in the corner doing federal work.” We’re just temp-checking. “We’d love to keep you as a subcontractor, starting in what we think might be Octoberish. Anytime we’re going to need you as a lower-tier sub, if you’re going to get CUI, we need to make sure you can handle that and you’re qualified to receive it. So just tell us where you are in your journey. Where are you? What level are you going to do? Where are you on that level? Have you already gotten a third-party assessor lined up?” It’s very nice, but it’s a full page and a half before that question — of educating: “Here are the rules we expect you to follow if you want to be our lower-tier sub.”

Daniel: So here’s what’s fascinating. I heard a large enterprise supply chain manager tell me, “We’ve already reached out to our critical supply chain, and if they haven’t heard from us, they’re probably not as valuable as they think they are.” So it’s really interesting — believe it or not, the Lockheeds and Boeings, before they ever posted a memo, had already secured their critical supply chain before they let everybody else know, because that’s where they had to spend all of their attention.

And the interesting thing you brought up a second ago is deciding who gets data and limiting sending CUI to people. A lot of people haven’t cracked this code at all, because in their mind, anything on behalf of a defense contract is CUI — which you and I know isn’t true; just because an email is marked CUI does not mean the email is actually CUI. But when you talk about it internally, do people come knock on your door? Do you feel like organizations need to foster an open culture — almost like a CUI program manager, somebody to spearhead, “Can I go tap Kellie on the shoulder and say, ‘Is this CUI? Can I send it to these people?'” What’s the best way for an organization to build that culture, instead of just guessing, or limiting themselves to only a few suppliers when they could potentially use a lot more if they just descoped or decontrolled the data?

Kellie: So this is a two-edged-sword issue, because you can use it in a positive manner. You can say to your C-suite — the people you have to convince this is legit, “we need to put money to this” — “Listen, you’re going to have a very short window, maybe two years, where the DIB is going to constrict in such a fashion that you are not going to have any competition, maybe, in your industry, because you’re going to be one of the only ones who are Level 2-ready, waiting on your assessment, and on time with it.” But you have to keep the communication going. That’s why I alluded, at the very beginning, to “we’re going to be hip to hip on these projects.”

It is way cheaper for a company to be proactive rather than reactive and fix it later. And these things have teeth, man. You can’t say you’re compliant — or not read your contract and sign on the bottom line that says you’re compliant — and not be compliant. You’re going to get a fine, you’re going to get debarred, you’re going to get contracts yanked, or worse. So it’s cheaper for a company to employ someone like me, or a very trained, good procurement team inside who knows these differences and can come knock on my door and ask for specifics. But you’ve got to know your scope, and you’ve got to talk to your PMs. I absolutely have Teams chats popping up all day long — “Hey, got a quick CUI question for you.” Listen, we still get things that are not marked correctly, marked FOUO, or not marked at all. We’ll still get requests to unmark CUI, or — the language literally last week was — “decommission” the CUI. “We need you to decommission the CUI.” I don’t think that’s a thing.

Daniel: Yeah, exactly.

Kellie: But we still get that, and all of us are going to get that — the overmarking is driving us insane as well. But we’re also seeing things marked interestingly when they want CUI to act as that barrier between Freedom of Information Act requests and information.

Daniel: Oh, FOIA requests.

Kellie: Yes. So we’re seeing that too, because a lot of the PFAS cleanup, which is what we do, a lot of that they want to keep under wraps. I don’t think they’re using it in the right way, but that’s what they’re doing. They just say, “Hey, I think this is sensitive, so I know to slap this CUI on it.” I wish there was a little more education. I saw the CUI marking decision flowchart they show everybody, and it’s like: is it classified? No. Does it have a law, regulation, or government-wide policy backing it? Yes — it’s CUI. But people don’t read what’s in the “law, regulation, or government-wide policy” box. Just because you’re a government employee does not mean it’s CUI. And it’s people like me who get into those weeds. I had to go in, when we were making our decision on the enclave and whether to be GCC High or not, and get into the weeds and read all those rules and make sure I wasn’t running afoul of something that would throw us into CUI Specified territory. I had to make sure. So you need someone on the inside like me who’s going to volunteer as tribute — because it is not pretty down here. And there’s such a huge learning curve that you need some dedicated folks for that.

Daniel: I can’t wait for the Hunger Games CUI edition to come out, so you can officially volunteer as tribute there, Kellie.

Kellie: District 12. That’s right.

Daniel: One of the last questions we have, which is always one of the spiciest, is at the executive level. The people who come to me on a daily basis are usually technical people who have been told, “Go solve the CMMC problem for us and don’t come back till you do.” Well, they don’t know what type of CUI the org has. They don’t have reachback into contracts or procurement. A lot of times they don’t have GCs — general counsel — or any supporting bodies they can talk to. So how have you found is the best way to communicate CMMC risk upstream — of doing it or not doing it? “If we do it, we’re going to be out X amount of money; if we don’t do it, we’re going to be out an even larger X amount.” What are some of the nuances in that conversation that have been successful and put Montrose on the map on the CMMC side for the type of work you do?

Kellie: It’s a strange thing when you communicate up. You need to hit on the ROI — what’s the return on my investment for this stuff? It’s going to cost a pretty penny. And you not only need people, but you need processes, and you need outside help in some cases — well, in most cases. So you need to tell them the “why” for that and equate it with: we may already have millions and millions of dollars of contracts awarded to us, but we won’t be getting any more of those if we don’t comply with this thing. Once you do that ROI discussion, it becomes a little easier. But I’ve been in discussions where you had to take that hard line of, “Listen, when you sign something for the federal government that says you’re compliant with something, it better be a true statement.” Now, I think it’s easier for me to say that, since I’m a former prosecutor, and they kind of look at me in that light. But, believe me, there’s some fear that comes with that communication — when you have your C-suite person saying, “Hey man, just get us to a D-minus. We don’t need to ace the thing, just get us over that line.” And you have to tell them: there is no D-minus. There are no grades. It’s pass/fail. And if you fail, it comes with teeth — I’m trying to keep you out of jail, not just make sure you win beaucoup amounts of contracts. So the discussion can be harsh, but it’s real.

So, talking about that ROI and the “why,” talking about the opportunity you have to corner the market — you’re not going to have so many competition points on that map, because there are companies that do what you do, yes, but none of them are going to be Level 2 like you are. But there’s a basic need for them to understand what CUI is in that company, and you have to boil it down to its basic form, just like I did — put on your spy hat. That has to happen first, because if they don’t understand that, they’ll dismiss you out of the room, because, just like everybody else, “Hey, we don’t build rockets, we can’t possibly be handling CUI.” Or worse, their eyes glaze over when you’re talking about IT stuff. And I have to say, “Listen, this is only like 70% IT. The rest is not IT — it’s physical security, it’s visitor access, it’s SOPs, it’s workflows.” So it’ll take a while to get there, but the discussion has to be had. First, figure out what that CUI is in your company, in your particular scopes of work. That’s what you have to communicate up, period — in a story.

Daniel: I love it. It helps when the DOJ gets involved with all these fun False Claims Act cases that you can point to and be like, “Do you want to write a check for $7 million? Do you want to wear an orange jumpsuit?” Listen — I went into a meeting with a printed copy of the Georgia Tech case. I’m like, “Listen, this is real. It’s happening. They have a whole group they’ve put together for this. You don’t want that knock on the door.” It’s beyond just being in breach of contract — it’s beyond that. But you have to tell them what it is and equate it very quickly.

Kellie: You have to tell them what it is and equate it very quickly.

Daniel: I love it. Well, with our last statement here, I always like to end the show with closing remarks, Kellie. The world is your stage — the worldwide internet, and a lot of CMMC listeners. If you were to give any sage advice, wisdom, landmines — speak to the people — what would you like to say?

Kellie: Listen, I have loved, for the past few years, this group, this particular section of the DIB — how we’ve all come together as one, and we share communication, we share information, we can go anywhere and get that information. I think when I saw you at the Boston CS2 conference, I was like, “I think I found my people.” It’s bigger than that. Please reach out. Get the information you need. If you don’t understand part of this, call one of us who at least has a grasp on it. And I’m not saying my way of sending the letters back or doing the contract summary is the way — but it’s a way to keep us out of hot water. So find that, and ask. Reach out to this huge selection of people who know what they’re doing and get that information. It’s there, and it’s valuable for you to get it now rather than later.

Daniel: I love it. And everyone listening — we’ll put Kellie’s LinkedIn in the notes, so you can reach out and connect with her. You’ll have mine as well, to connect with any questions you have. Like you said, this is the most supportive community I’ve found around this altogether. So we’re all here to help. And yeah — thanks everybody for listening. Kellie, thank you for joining us, and I’m sure we’ll have you back on again.

Kellie: Thank you, I appreciate it. Thank you, guys. Bye.