H3T, LLC - a technology consultancy

Once upon a time...

I have been supporting Linux and other Free / Open-Source Software since 1993. I built my career around the tools, ecosystem, and ethos. Every company I worked for benefitted from my expertise and, indirectly, the support of thousands of developers building tools that companies would not make freely available. And to be clear, I’m not talking about cost-free; I’m talking about source-free.

It may be hard to imagine in 2024, but we were forced to fight for the right to utilize tools like Linux, the GNU Compiler Collection, Apache, Python, PHP, and MySQL at work. Commercial software companies called open-source software licenses a cancer that prevented them from making money. Those same tools now power the world's largest enterprises and data centers, disproving those alarmist accusations.

2001 MLUG Meeting
Leading a LUG meeting in 2001

Once upon a time, concrete was an innovative technology, but over time, it became a commodity we now take for granted. Once upon a time, electricity was a novel innovation that captured imaginations. The once innovative Free / Open-Source Software tools have become a baseline of expected functionality that commercial companies can’t overcharge for. This forces innovation in the market to stay profitable, which is a very good thing.

Today’s security ecosystem is churning, especially for contractors serving the Defense Industrial Base (DIB). Standards like the Cybersecurity Maturity Model Certification, NIST SP 800-171, and others are being finalized to create a training, consulting, and certification market based on those emerging standards.

Cover of Computer Reseller News September 2002
On the cover of CRN in August 2002

The good news is that these actions have spurred tremendous opportunities for companies supporting government contractors. The bad news is that just like during the Internet land rush in the 1990s, the costs and quality of those services vary widely. It is typical for a small business to spend $15K to $30K and 90 days or longer to become a CMMC Level 2 business. This certification is required before submitting proposals for Department of Defense (DoD) contracts.

I’m not saying this isn’t necessary. The DoD must protect its supply chain from advanced persistent threats, such as those from other nations and organized criminal enterprises. Industry reports have consistently shown many contractors who perform self-assessments overstate their security capability. Recent headlines agree. It can be costly to have a CMMC Third Party Assessment Organization (C3PAO) review your System Security Plan (SSP) and validate it against your actual infrastructure and processes.

2004 LinuxWorld Speaker
Speaking at LinuxWorld in 2004

The incentive had been for a small business to self-assess compliance with CMMC Level 1 or 2 and kick the security can down the road to deal with later. Until Oct 15, 2024, that was the status quo. That was the day the final rule (32 CFR Part 170) was approved and is expected to begin phasing in over the next four years. It has removed the ambiguity about knowingly providing false claims to the government.

We need an open-source solution to assist small businesses in performing self-assessments and developing documentation and tools to validate their security for CMMC. It shouldn’t cost a business tens of thousands of dollars just to get equal footing with larger, more established companies.

Here is me putting my money where my mouth is:

https://cmmcexplorer.com/
https://gitlab.com/h3tllc/