Craig fills you in the Best Security Practices for Passwords and What is absolutely required by anyone who is contracting with the US Military.

For more tech tips, news, and updates visit – CraigPeterson.com

Read More:

What Government Contractors Need to Know About NIST, DFARS Password Reqs

Automated Machine-Generated Transcript:

Hey, does your business make something that might be used all ultimately by a government contractor? Did you know that all of the requirements that they have rolled downhill right into your lap? That’s what we’re going to talk about.

[00:00:22] Hey everybody. Welcome. This is Craig Peterson. I’m so glad you guys are here. There are so many things to understand in this whole world of security and technology is frankly, it’s just very, very confusing. It’s impossible to catch up on. I’ll give you that. And it’s very hard to keep up on. So what I’ve been trying to do here on the show, and then.

[00:00:44] And in the webinars that I’ve been putting on is to help you guys understand it, turn it into English, make it something that’s workable. I had quite a week last week, very, very eyeopening to me because I’ve been working with a few different companies this justice last week that had major security problems and were completely unaware of it.

To me, that is just completely unreasonable, right? Well, I shouldn’t say they weren’t unaware of them. One of them was the pizza shop that I mentioned, and they knew something was up because the payment card industry guys knocked on their door and say, it said, Hey, we got to do an audit.

[00:01:27] And they came in, took one, look at the equipment that they had. Back in the, you know, computer room, if you want to call it that, you know, where the server is and immediately failed them. That’s all they had to do was see that links us Rotter is sitting up on the wall because the link says is not good enough for businesses to keep your data safe.

[00:01:49] And frankly, the same thing is true for many of the other products out there. Now there’s a lot of other levels that go beyond where. The payment card industry is requiring. And one of those is for government subcontractors. I have quite a few clients that are government subcontractors, and I think every one of them came to me because they had.

[00:02:14] Problems there they were trying to solve something was wrong. It was, it was, computers were slow emails. Weren’t getting routed properly. Some of their customers were getting emails that actually weren’t sent by them and yet had their return address on them. Right. Those sorts of problems. So we got involved and had a look and figured things out.

[00:02:36] And you’ve heard a few of those stories here. Well, this week was interesting because one of the listeners for the show reached out to me. He got a job. Helping out a business that is a small business. It is, you know, by small, small business standards, it’s a decent-sized business, but they make components that are used by the federal government, by the military.

[00:03:03] And they were not doing what needed to be done. Not at all. And they think that they should be able to be ready in the next 18 months for the lowest level. And maybe they will, but based on what they do, uh, they got to get a lot more ready, a lot higher. Right. That’s the basic definition here. Is, if you make something that either goes boom or at attaches to something that goes, boom, you have to comply with something called DFARs.

[00:03:40] And I tar now DFARs is the defense federal acquisition regulation supplement much easier to just say DFAR is isn’t it. And this is a set of standards that apply to civilians. And defense agencies in the United States, ITAR gets even higher level and it requires compliance, but I tar basically means yeah.

[00:04:04] Yeah. Things go, boom. Okay. So if you make a component, so I have clients that make something as simple as power supplies. And those power supplies are used by military contractors and they go into various types of devices, another client, we went out to them and to help them out, they decided not to spend the money they needed to spend.

[00:04:28] I have no idea what they ended up doing, but they make cable harnesses that are used in military systems. And they weren’t even close to being compliant, which is, you know, the typical thing that we see. So here’s your problem, frankly, because of the new teeth that are in place now where they’ve taken and they moved it to something called CMMC and the CMMC is requiring them to do.

[00:04:58] Even more and it has even more teeth on it. It’s absolutely amazing. So we’ve, this is in place to help protect federal contract information. And a lot of these manufacturers say, Hey, you know, it’s not going to happen to me. I make power supplies. I make screws. I make assemblies. And in some cases they make much more fancy stuff, but.

[00:05:23] It does. It applies to all of you and organizations that failed to comply with these rules can get hit badly with massive fines, class, oxygen, lawsuits, and also jail time for the owners of the business, for the people who are supposed to be running the business. Real jail time. We’re talking about 10-year terms for some of these things.

[00:05:50] So we have to be careful. We have to look at what we’re doing and we have to understand if what we’re doing is the right thing. So how does this apply to you? Well, if you are just a regular civilian, I think you should be happy that finally the federal government. Is trying to protect our information.

[00:06:14] Right. We’ve had the Chinese attacking us and we’ve been in these businesses where the Chinese had backdoors installed. And what does that mean? What’s a backdoor while he imagines that your computers that contain your proprietary information are directly accessible by the Chinese. So that means whether or not it’s military, your computer, the information on it is now in the hands of the Chinese.

[00:06:44] And in the case of one of our clients, what that means is all of his designs. All of his clients lists all of everything that he has worked his whole life for. He now gets to compete against a Chinese manufacturer that has been given all of that stuff. So imagine that happened to you. What does that mean?

[00:07:05] It, it means that our military isn’t as secure as we had hoped it’d been. And we could go through all kinds of stories here. I, I really want to kind of stay focused, but what this means is we need to make sure, especially in this kind of post COVID world, that all of our systems are up to date. All of our systems are properly secured.

[00:07:31] So this, this company, this week, one of these companies this week, they had put in VPNs and they had used some slightly higher-end equipment. You can’t just go and buy SonicWall off of the shelves over at staples, but it does not meet any of these federal guidelines. And what really, really upsets me here is that.

[00:07:57]They do a search online for the model of hardware, software, whatever it is they’re using. And they’re looking for an instance for compliance and it says, yeah, we’re DFARs compliant when they are not compliant. It just. Ah, I don’t know what to do about it. Maybe it’s just me, right? Maybe I’m just a little bit too uptight here, but they’re conning people.

[00:08:24] They’re conning you. And if you’ve attended my webinars, you know how these VPN companies are, conning is how these privacy protection companies are. Conning how the antivirus vendors are calling you. And I’m also seeing this for our, our military subcontractors. All of them that I’ve been involved with have been conned.

[00:08:46] And now that’s not true with the really big ones. Right. I deal with small businesses, 500 employees, and smaller, but. Man. They don’t even know what they don’t know. And that’s part of the problem. Right? That’s always part of the problem. So there are a few things I want you guys to, to understand and know, cause this applies to everybody.

[00:09:09] First of all. Nest. This is a government organization that comes out with standards. It’s a national Institute of standards and technology. And remember, they used to advise that you have these super-duper fancy passwords that are hard to remember and a different password on every machine. And you had to change them every month or two.

[00:09:32] Well, they have relaxed that now, and they follow the same guidance that I’ve been preaching for years, which is. Have a passphrase, a set of words that you remember that you’re not going to forget and that you can type in pretty quickly, but it may be 30, 40 characters long. And then use that in conjunction with a good password manager, like one password that is going to keep all of the passwords for you.

[00:09:59] So you have the one big, really good master password and then a whole bunch of. A password stored in your password manager. Now let’s see multifactor authentication is the next one I have on my list. And it is not what it used to be. Unfortunately, a multifactor authentication. Now a lot of people are looking at it as well.

[00:10:22] Uh, it’s just a text message. I’m gonna need a text message. Well, okay. That’s, isn’t that wonderful, but that is not true. Multifactor authentication, you know, multifactor authentication means something that, you know, along with something that you have, like a mobile app or security key. So be careful with this.

[00:10:41] And again, if you’re government contractor, you’ve got to use. Special types of key chain storage like TPM or TEA. If you need more information, by all means, reach out to M E me@craigpeterson.com. But if you’re looking at getting some of this federal government money, By being a contractor, or if your devices are used or materials are used by military contractors realize that your neck is really on the line.

[00:11:13] Now with CMMC long jail term, backbreaking fines, it will put you out of business. If you get audited, or if you lose some of this data, Hey, when we come back, we’re going to talk about a lawsuit and, and I think this one’s going somewhere. Google got sued for at least $5 billion because Incognito mode is not the incognito mode they’ve been advertising.

[00:11:42] Hey, how sad for fun? Make sure you sign up. You get all of the information for business for home. Craig peterson.com/subscribes to crown. I’ll be right back.

More stories and tech updates at:


Don’t miss an episode from Craig. Subscribe and give us a rating:


Follow me on Twitter for the latest in tech at:


For questions, call or text:


Listen to this episode

Malcare WordPress Security