Now meet Lt. General David Bassett, the Director of the Defense Contract Management Agency (DCMA.) LTG Bassett jumped onto LinkedIn (you should already know how this ends just by that, alone) to give his idea on how to shore up the Defense Industrial Base (DIB), that massive collection of private contractors who sell to the US Federal Government. Bassett, per the official DCMA webpage, “manages 225,000 contracts, valued at more than $3.5 trillion, at 15,000 contractor locations worldwide.” So one would hope he knows what he’s talking about.

One would be wrong.

Bassett jumped on the usual lazy argument that securing the DIB is just a matter of everyone getting on with improving their cybersecurity, on their own, and on their own dime, suggesting that it’s all as simple as doing some “push-ups,” and then implying the DIB is lazy and shouting, in all caps, “WHAT ARE YOU WAITING FOR???

Here’s his post:

Again, you already know where this is headed.

So I responded by reminding the Lt. General that CMMC and NIST compliance is very expensive, and not nearly as easy as doing “some push-ups.” And Bassett immediately deleted my comment.

Then, the usual private industry suckups chimed in, trying to win Bassett over in order to get some gooey FedGov contracts. This included, of course, Linda Rust and Kevin Fahey, the latter of whom created the entire Katie Arrington/CMMC debacle. When Fahey said Bassett was “100% right,” I commented, “No he’s not, he’s an idiot.

You see, I really don’t care what rank or uniform you have. If you say something stupid, and then hide from mature debate by deleting my comments, I’m going to call you out on it.

Within five minutes, Bassett sent me a direct message and suggested I provide “constructive feedback” instead. I couldn’t answer right away, but the next day I did just that, and laid out the entire map for him.

One more time, for those in the back: you already know how this ends.

I’ve included the full transcript of our chat below. Some quick takeaways:

  1. For a Lt. General of the US Army, Bassett’s sensitivity to even mild criticism is astonishing. He couldn’t be more thin-skinned if he were made of wet tissue paper. If being called an “idiot” on social media drives this guy to this level of stupidity, imagine what he’d be like if he actually had to face a real enemy of the United States? One hopes the Chinese will be more polite than me when they’re raining bombs down on us.
  2. Bassett’s bio suggests he spent a little time in Germany and Europe, but none in any serious hot zone. Except for a stint in New Jersey, so he deserves some credit for that.
  3. Bassett refuses to seriously acknowledge any of the suggestions or factual points I made (like having a single Fed enclave, the cost of CMMC/NIST/DIBCAC compliance, and the DCMA’s failure to rein in companies like Pratt Whitney.) Instead, he keeps bringing the conversation back to him, and how I hurt his feelings. (Here’s the Pratt Whitney story.)
  4. Bassett even ignored my suggestion that he meet with a roundtable of actual experts (not me) to explain the idea of the single Fed enclave. Fortunately, some other folks have since chimed in to make that meeting happen, and Bassett is promising to participate. We will see what comes of that, and I will report back.
  5. Bassett expected me to solve all his problems in a few messages on LinkedIn. If I could do that, then perhaps they should give me his rank and pay, and he can have mine. Better yet, give me Elon’s pay, since I’m gonna solve world peace in DMs.
  6. Bassett thinks an “analogy” is something you can say, and then claim later you didn’t. That’s not how analogies work.
  7. Have I mentioned how thin-skinned this guy is?

Here’s the full transcript, up until the point that Bassett (get ready…) blocked me on LinkedIn. Because that is what Lt. Generals who have control over $3.5 trillion in government spending do. They suck up to people who praise them, and run from those that hold them to a higher standard. Not at all corrupt.


LTG Dave Bassett  6:56 PM 12-02-2022

Constructive feedback

If you’ve some constructive feedback you’d like to provide please send it. If you reread what I posted it was encouragement to secure DIB networks. It wasn’t a specific endorsement of CMMC or the approach within it.

Christopher Paris  8:34 AM 12-03-2022

Constructive criticism incoming. The DoD is the most-funded organization on the planet, but is trying to do DIB cybersecurity on the cheap. It wants to offload national defense back onto the people and companies the DoD is tasked with defending. DoD has allocated zero dollars for NIST and CMMC compliance for the DIB and instead is trying to guilt-trip companies into complying (as you did in your post.) Meanwhile, the estimated costs of such compliance are escalating, with the latest estimates being $200,000 and up per company, no matter how small the company is. That results in angering DIB company reps, and having the exact opposite effect. Companies are saying, fine, go buy from China, then, we will just sell our stuff as COTS instead. And this will bankrupt small and medium sized companies, resulting in less suppliers for DoD. So, the DoD doesn’t have the stick that they think they do, but everyone’s too smug to notice.

Instead, the DoD should create its own enclave to house CUI and other contract data, and force companies to use that. DoD could then take responsibility for the security of that data, and do its actual job: defending the nation. When people file their taxes, they have to use the IRS portal. Veterans have to use the VA portal for their healthcare issues. Bidders have to use SAM.gov. There is ample precedent for this, but it would mean DoD has to actually spend some money, and have skin in the fight, rather than offload it all.

If national defense is now the job of private citizens, there’s no real reason to have a DoD or DCMA, is there?

Next, DoD and DoJ have to enforce the rules fairly. If Booz Allen or Boeing don’t comply, they get debarred the same as Joe Machine Shop. Right now, everyone knows that doesn’t happen, and only Joe faces punishment. Because DCMA will always overrule investigations, including DODIG probes, allowing the big guys to keep getting contracts no matter how many DFARS and laws they break.

I’ve provided white papers, testimony, and whistleblower reports for over 20 years on this, including to DCMA, and it’s sad that they go ignored until I call some guy an “idiot” on LinkedIn. Then, suddenly, the thin-skinned cheeseballs pay attention. DCMA is entirely broken, and exists to support high-dollar donor companies that can ensure incumbent politicians hold office, not actually ensure the US government gets the best deals on quality products and services. But with a virtually unlimited budget, there’s no accountability.

So, you see, it’s a little more than push-ups.

LTG Dave Bassett  8:41 AM

I never implied it was like push-ups. You’re obviously not capable of understanding an analogy. Calling me an idiot won’t get you heard. But I am professional enough to consider your input despite your unprofessional behavior. You don’t know me. You’ve never met me. You don’t know my technical background (I have one). You don’t know how I lead. What I said was don’t wait for final standards. Move out and start complying the DFARS clause is already probably in your contract. Curious about 200k compliance cost. Do you have a breakdown of that? Any particular control contributing to that number?

Christopher Paris  8:43 AM

LTG Dave Bassett  8:44 AM

It’s an analogy. You can’t understand that?

Christopher Paris  8:44 AM

And calling you an idiot LITERALLY got me heard. I do see you deleted my comments, and kept up all the fawning praise from the contractors trying to suck up to DCMA though

Here’s a hint. Don’t post on social media if you can’t take criticism. Log off then.

LTG Dave Bassett  8:45 AM

Absolutely I did. You didn’t add to the discussion. Want to attack me? go to twitter. Linked in is a professional forum.

Christopher Paris  8:46 AM

Because the way I see you “leading” on social media is sniffing around for compliments from the people you should be agnostic with and dodging responsibility. That’s not leadership.

LTG Dave Bassett  8:46 AM

I actually responded but when I saw the name calling I deleted all of it.

I barely post on linked in other than to maybe draw some attention to a retiring officer or praise my team. What on earth are you talking about.

Christopher Paris  8:47 AM

How did the US defense industry get filled with so many thin-skinned, egotistical softballs? You should just step down now.

LTG Dave Bassett  8:48 AM

You literally have no idea who I am or my reputation. Look at what I’ve managed and how it’s turned out. I am anything but what you’ve described.

Judge that and let me know.

Waiting on the breakdown of the 200k. Doubt you have anything credible.

Christopher Paris  8:53 AM

You didn’t answer a single point I raised in my response, but obsessed about yourself instead.

https://www.theneteffect.com/cmmc/20221121.php 

And NDIA’s figures are already too low. I have real clients right now paying more than that, with only 15 employees.

The fact that you don’t know this is stunning, but also not unexpected. If LinkedIn is the “professional” network you claim, maybe do research next time before shooting off uninformed.

LTG Dave Bassett  8:54 AM

Send me details. The rest of what you said was scar tissue and broadside accusations of bias. Nothing I say would change your mind.

Christopher Paris  8:56 AM

I literally just sent it. Use your finger to click the link. The mouse is probably on the right of your keyboard.

LTG Dave Bassett  8:58 AM

I read it. If you’re already in compliance with the NIST standards in the DFARS clause those are not additive costs.

And we go out and check, most companies are not complying with the NIST standards (despite claiming they are).

The alternative is us going out to verify compliance which clearly we don’t have the capacity to do beyond a limited scale.

Christopher Paris  9:00 AM

You just contradicted yourself. I know that companies are not NIST compliant, which is my point. They can’t afford it.

LTG Dave Bassett  9:00 AM

So what should we require on our contracts? Do you want a different standard or just let it rip?

Christopher Paris  9:01 AM

I gave you the solution already. Create the enclave, make DIB companies use that. Problem solved.

LTG Dave Bassett  9:02 AM

Not that simple. What about a drawing that they need to send to a machine outside of that enclave? Gross over simplification.

And you’re acknowledging that most companies just ignore the cyber requirements in their contracts.

Christopher Paris  9:04 AM

Machine shop accesses the enclave. For OT systems, it gets tricky but can be done.

LTG Dave Bassett  9:04 AM

You are so arrogant you think no one has talked about that solution?

Christopher Paris  9:04 AM

Of course I’m acknowledging it. Companies violate HIPAA and EPA and OSHA and seat belt laws all the time. If you don’t enforce it, it’s pointless.

DODIG did an audit of Pratt Whitney against AS9100 and found over 40 major nonconformities. Did DCMA do anything? Of course not, Pratt just kept winning new contracts, despite the fact that human life is at risk. If there’s no enforcement, it’s pointless.

And if you want to have a serious discussion about alternative solutions, we can set up a roundtable with actual professionals. I won’t even speak. But smarter people than me have pitched the DoD enclave, and it’s been rejected because DoD doesn’t want to spend any money.

LTG Dave Bassett  9:08 AM

I don’t mind criticism but I will not work with people who are unprofessional. In uniform or out. No thanks. Be better.

Christopher Paris  9:09 AM

Of course, tone policing is the last refuge of people without spines. Good luck with that.

LTG Dave Bassett  9:09 AM

Sounds like you’ve struggled with it throughout your career.

[Bassett then blocked me.]


You see? I told you that you knew how this would end.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.

Advertisements

Traditional Tri-System