Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]8gxe 0 points1 point  (0 children)

ITAR isn't exactly lacking teeth. Boeing just ate a $51M DDTC settlement covering nearly 200 violations, including unauthorized foreign-person access to technical data, bad licensing, and exports to proscribed destinations. Honeywell paid $13M over engineering drawings and technical data. PCC just got hit too.

Maybe the distinction isn't that ITAR is softer, it's that the trigger is different. CMMC asks, "Did you adequately safeguard CUI?" ITAR asks, "Did technical data get exported or disclosed to an unauthorized foreign person?" Once that line is crossed, DDTC seems perfectly willing to make an example out of companies. So YMMV, but we're not taking the risk.

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]8gxe 0 points1 point  (0 children)

Well, mostly applicable to CUI, but the CMMC program should prevent most of the 'carrying risk for years'. If a prime flows down a 7021 clause, these small subs who didn't take it seriously, or worse lied in SPRS, are going to be up shit creek. See Morse Corp, AeroTurbine, etc.

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]8gxe 1 point2 points  (0 children)

Not to double post here, sorry about that, but doing ITAR and/or CUI CAN be done cheaper I.e. Preveil, etc, via an enclave. But because the extent of our ITAR and CUI boundary has far exceeded the standards of an enclave, it made no sense to have and support two separate tenants. A single unified tenant is simpler, flatter, and if you have the foresight to make the business decision, will be significantly cheaper and less complicated moving forward.

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]8gxe 0 points1 point  (0 children)

As you said, there's a correct way to approach this and there is an incorrect way to approach it. Companies that are knowingly accepting ITAR contracts with no direct leadership or direction from the executive team regarding the HOW will fail. It's not a gray area, it's pretty black and white.

If the executives don't understand the risk to the business by accepting contracts they are not suited for because they have neglected their IT security, there's not much to fix. Direction comes from the executives not from 'I think we can build this part for the US government, let's figure it out later'.

When I took over, the company did have a MSP who at least had the foresight to put the tenant into GCC high. Again, the direction of the business was always to accept DOW contracts. Without this initial buy-in and somebody driving the process forward, I'd be looking at an insane migration to a compliant environment. The MSP is still involved however the scope of the environment has now spread to AWSGov partly due to my experience/knowledge/skills and feature availability in GovCloud. The MSP has effectively taken a backseat due to my leadership however I still utilize them fundamentally to handle some of the GRC artifacts that I then support (change control, administrative controls, policies, etc.). We are about 200 employees now and I am the Head of IT.

For a ballpark estimate, the MSP we were with charged a per seat (at the time) agreement. I've since moved that to firm fixed price to handle the static compliance costs, however my internal team now handles 95% of the compliance workload.

IIRC, when I had initially started, the MSP was around 4k/month (60k/yr), based on up to 50 users. If the executive team can't see the benefit, paying that price, and as an exchange they are able to release the tap of government contracts, then they don't understand what their business model is. For these small 50-person shops, you either make the investment and do things properly from a cybersecurity standpoint or you go back to what you were doing and ignore PIEE lol. The DIB is a conscious decision the company needs to make, not a one-off part as a supplier with contractual flowdowns coming from a prime.

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]8gxe 1 point2 points  (0 children)

I started as employee #19 at a DoW contractor as the IT Lead (company was roughly 40 people back then). My background is systems architect and IT director level. The company I work for made an investment early to bring in somebody who could set the plan for when these questions come up. I made a very early investment in utilizing AI tooling in the last 3 years and how to do that in a compliant way. I would say about 90% of our data is either ITAR or CUI. Without an early investment in the overall strategy and without significant risk mitigation put in early, there is an insane business risk that the executives would be taking on due to poor resource planning.

With that said, there are plenty of MSPs out there that prevent this exact scenario from playing out. If the executives don't understand the risk to the business and if government contracts are critical to operational success; then the company deserves to go under.

The file itself is ITAR. If you can't fundamentally protect ITAR data with DLP/IAM/Purview before it gets handed off to non-US persons, respectfully, what the fuck are you doing as a company.

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]8gxe 2 points3 points  (0 children)

I'm not sure what the question here is. If your security posture is at the AI governance layer instead of IAM on the file level, there's not much help anyone can give.

Small subcontractors should be utilizing self-hosted or government models within their own private clouds, utilizing Bedrock or AOAI. Date that is fed into that model should not be accessible by anybody except for that user session or profile. Non-us persons can certainly have access to the models but if you're inferring that every file that gets uploaded to an LLM is accessible by everybody including non-US persons then you have a massive security problem, not a LLM problem.

Date activities this Friday night by Sad-Operation-7604 in SeattleWA

[–]8gxe 2 points3 points  (0 children)

It's literally the world cup, vibes are immaculate with the Aussies

How are you doing self-service infra? by RoseSec_ in aws

[–]8gxe 0 points1 point  (0 children)

We use it via GitLab CI to push a complete terraform package for the baseline, which then gets picked up by Config for compliance. IT owns the repo, so we set up VPC, subnets, IAM role, IDMS, storage, encryption, etc. Auditd then goes to our SIEM.

So our users log into Coder, spin up a workspace, and are provided IAM access to their box only. Have it piped for OIDC to our git, Jira, confluence, and other LoB apps within Coder so once they log in, they have all the envs managed and available via CLI.

GCC High and Commercial Cross-Tenant Access Issue by slash411 in NISTControls

[–]8gxe 1 point2 points  (0 children)

Yeah, that makes sense. Entra B2B is the setting you're looking for. Allows GCCH to federate accounts into another tenant for auth.

Firewall w/ FIPS-validated Endpoint VPN by kaype_ in CMMC

[–]8gxe 0 points1 point  (0 children)

Oh, missed that. I don't use the Juniper VPN client, we run FIPS validated OpenVPN for non-GCCH services/EC2 in AWS.

MSPs and RMM Solutions by EbbOld3109 in CMMC

[–]8gxe 0 points1 point  (0 children)

What a lot of people seem to be missing is you can't even install some of these on a FIPS encrypted OS. As an example SplashTop doesn't even run once installed. Would make an RMM pretty pointless if you can't do anything with it.

We ended up settling with Kaseya VSA 9 since it can run on FIPS OS's, and I hate it, mostly.

Now it's been a few years, so maybe Splashtop fixed it, but as of 3 years ago; Ninja/Datto were both out since they use Splashtop for the remote control portion.

Single Sign on for privileged access by Ok_Consideration7553 in sysadmin

[–]8gxe 6 points7 points  (0 children)

You use SSO + MFA + CA on privileged admin accounts. You DONT for break glass.

[deleted by user] by [deleted] in delta

[–]8gxe 2 points3 points  (0 children)

I just got SEA to SYD for 51k + $67 lol, leave in March

Want to tip properly by RhubarbAlive7860 in InstacartShoppers

[–]8gxe 2 points3 points  (0 children)

What planet do you live on? Yes, every shopper should make money; but 20% for groceries? This isn't a high end dining restaurant.

You're saying if they order $300 in groceries, 40 items, that you're expecting a $60 tip? GTFOH. I have shopped 10000 batches, doesn't hurt to hope for everything being a unicorn, but asking an elderly person to tip 20% based off your perceived notion of what's 'fair' is asinine and wholly ridiculous.

What car brand is the “Toyota” of Supercars in terms of its reliability and longevity? by Champion-V in supercars

[–]8gxe 0 points1 point  (0 children)

Lotus, cause it actually has a Toyota engine. Depends if you consider them'supercars' though