Assessing and Defending the Cyber Realm Artwork

In Orbit: A KBR Podcast

Though produced by KBR, this series is for anyone and everyone, inside or outside our business. We speak to some of the world’s foremost experts about the great challenges facing humankind today and about solutions to those challenges — what they are, how they work, the people who are creating them, and why they’re important for people like YOU!

That’s because whatever the topic, our main focus is people. Our goal is to connect, educate, inform and inspire.

All Episodes

In Orbit: A KBR Podcast

Assessing and Defending the Cyber Realm

December 03, 2025 • KBR, Inc. • Season 5 • Episode 11

If you want to work with the U.S. government, you have to meet certain requirements, especially when it comes to cybersecurity. To ensure KBR meets those requirements, and to help customers do the same, we work with outside experts to assess the cyber landscape and shore up digital defenses. In this episode, Warren Holt from KBR’s Defense and Technology Solutions business unit and Brandon Mercer from Biorn Group Cyber discuss KBR’s commercial cybersecurity program and how partnership with Biorn Group is keeping KBR at the forefront of cyber readiness.

IN ORBIT: A KBR PODCAST

Season 5, Episode 11

Assessing and Defending the Cyber Realm

INTRODUCTION

John Arnold:

Hello, I'm John, and this is In Orbit.

Welcome to our humble little podcast, we're glad you're checking in with us and staying in our orbit. We've got a great episode for you today about something that's near and dear to all of our 21st century technology saturated hearts, and that is cyber security. Pretty much at all times nowadays, cyber threats are lurking in ways large and small, from individual identity theft to massive state sponsored attacks on critical digital infrastructure. KBR is a leader in cybersecurity solutions, providing cutting-edge technologies that help both commercial and government customers drive their digitally enabled projects and keep them safeguarded from outside threats. Rightfully, customers like the U.S. Department of Defense have specific requirements in place that must be met in order to work with them.

So, both to ensure KBR is meeting those requirements, and to help our customers do the same, we work with outside experts to assess the cyber landscape and shore up digital defenses. Today, we're going to talk specifically about KBR's commercial cybersecurity program and our relationship with Biorn Group Cyber, and how that partnership is keeping KBR at the forefront of cyber readiness. And we're excited to have a couple of guests with us here today to talk about it. Warren Holt is director of commercial cyber with KBR's Defense and Technology Solutions business unit, and Brandon Mercer is a cybersecurity expert and consultant with Biorn Group Cyber and a certified cybersecurity maturity model assessor. Welcome to the podcast, gentlemen.

INTERVIEW

Brandon Mercer:

Thanks, John. Thanks for having us. Excited to be here.

Warren Holt:

Yeah, thanks for having us.

John Arnold:

Yeah, been looking forward to talking with you guys about this, on a specially timely topic, and a very important one for a company like KBR. But before we get started, we want to give our listeners a chance to get to know you guys. So, I wonder, Brandon, maybe we can start with you. Just tell us about yourself, your background, your career, and how you arrived, where you are today with Biorn Group.

Brandon Mercer:

Yeah, absolutely. So, I got a unique background, I started, of course, right out of high school, I dove right into manufacturing. So, I got into manufacturing, and then I spent a number of years, 15 years, in manufacturing, started from the ground, went through apprenticeship, all these kind of good things, learned to be a machinist. Then, I jumped from that, and go to the management aspect, and I started looking in different things in standardization, policies, procedures, and then to I jump into the ISO realm of things when it comes to the manufacturer and how to place there, talking about things like data loss prevention, personal security, things like this to protect the information at hand when it comes to proprietary stuff and things like that with the organization I was with. And that's when it stemmed my interest into the IT world and the cyber security aspect.

And I go into it ... It's a funny story, my neighbor was the CEO of Biorn Group Cyber, and he was like, "Hey man, I heard you're into cyber. Why don't you come aboard?" And I was like, you know what? That sounds like a good idea. So, I started working both jobs, and management of operations over at a manufacturing facility, and then I do the cyber security on the other side, and then I dove in the CMMC headfirst, was about three years now. And I just fell in love with it, helping out organizations, getting them to where they wanted to be, spreading the knowledge of all the different nuances, it struck my interest, and that's where I just dove in and started going off with the CMMC, and taking off from there, grabbing the certifications of professional and then assessor right behind it, ever since then, it's history. Right?

John Arnold:

Awesome. I love to hear about the gradual movement from more hands-on, tactical machining to the cyber realm, like a use case for the modern world. Warren, what about you?

Warren Holt:

Yeah, so I've been with KBR now for about a year and a half, and it's been a great company ever since. My background, under the cyber umbrella, I wore a lot of those hats, I won't go into all those different careers, but ever since, I started off in the system administration, system engineering, and then IT security, eventually turned into cyber security, and I've been on the government side and private sector side, and now I'm with KBR. And KBR has been just a great company to be with, they allow me to use the skill sets that I've gathered over the years across the KBR business unit. So, definitely keeps me busy, and so working in the commercial sector with the team has been challenging but rewarding at the same time, because as you know, everyone is having the same issues when it comes to cyber security, and just trying to be better and more protected when it comes to protecting our systems and our people. So, just a little bit about me.

John Arnold:

Awesome, thanks so much for sharing your backgrounds with us, you guys. This is an interesting episode because it's not often that we get to have a third party with us. And so, we're really excited to have you with us today, Brandon. I wonder if you could tell us a little bit about Biorn Group Cyber, and Warren, then maybe y'all can tell us about the relationship between Biorn Group and KBR.

Brandon Mercer:

Absolutely. So, Biorn Group Cyber started as a 501(c)(3) a non-profit. It started out helping the younger generation and getting folks into cyber, and really focusing on the veterans, the veteran aspect, getting out and helping these guys, giving them that career path and that move forward. And so, they developed into the SDVOSB, the small business for disabled veterans, and we're a veteran-owned, disabled veteran-owned, of course. And then we developed a RPO side, the CMMC RPO, which is a registered practitioner organization, and we focus on the consulting and helping the organizations from start to finish, to that CMMC journey. And we're talking all the way from scoping, gap assessment, POAMs (plan of action and milestones], and then the remediation behind it as well. We can even steer you in the correct direction to get you that final T3PAO, which is that third-party assessment organization to get you that certification in the end. So, that's a little bit about Biorn there on the high level.

John Arnold:

That's awesome. I didn't realize that about it being a veteran-owned organization and providing opportunities for veterans post-service, that's fantastic. Warren, would you tell us about the relationship between KBR and Biorn?

Warren Holt:

Yeah, of course. About a year ago, I was at a conference in Charleston, and just so happened I saw the Biorn Group, they had a table there, I met the CEO, Khanh, as Brandon would tell you, Khanh [Tran] is just great character, always outgoing, I think he's on a Red Bull like 24 hours a day.

Brandon Mercer:

Oh yeah.

Warren Holt:

And I said, "Hey, nice to meet you." And he told me about his company, and they're a CMMC service provider, and just the energy was right. It just felt good. And I said, "Okay, let's stay in touch." And so, he didn't think I was going to come back and talk to him again, so I came back and talked to him at break, and we just kept talking. And I said, "You know what? Maybe let's stay in touch and see what happens as CMMC gathers momentum." KBR, we're not quite sure. A lot of us, we don't quite know where the policy and the law is going to go, but we want to be ahead of it. And so, Khanh was like, "Yeah, sounds good." Khanh took it very seriously, this would become a law and a policy one day, and Brandon will go into details later on this podcast on what that means, and we stayed in touch ever since.

And so, as we started to kind of grow our relationship, I said, well, maybe this might work, maybe the partnership with Biorn Group Cyber and KBR and a strategic partnership might actually work. So, when the floodgates open up and there's all these requirements for CMMC, we'll be able to address every requirement with the backing of KBR, a very large company, a great company like Biorn Group Cyber, let's see what happens. And fast-forward till today, things are starting to pick up a lot of speed and we've been working really good together as a partnership. I'm sure Brandon will tell you it's a very good synergy. And as we get calls daily from industry on, "Hey, can you help me with my CMSE requirements?" We've been handling those requirements together in a partnership. So little back story, that's how we met. One thing about Biorn Group Cyber, it's an outgoing group. Their culture kind of fit the KBR culture. It just felt really good and today it's getting even stronger. So that's kind of the history of how we met. And so we decided to talk to our internal leadership and legal department and see if we can make this a reality. And we've done that.

John Arnold:

Fantastic. Well, don't let anyone ever tell you that important things in meetings don't happen at conferences, conferences are a waste of money. Obviously not the case. So as we know, the proliferation of digital everything, it's been here for a while. Cybersecurity is of utmost importance. I feel like every other day we're hearing about some hack or near peer adversary, and that's for individuals and companies. So Warren, would you tell us about KBR's commercial security program?

Warren Holt:

Of course, love to. So our commercial security program is not traditional KBR. We provide managed services to industry, small, medium, large companies. Those offerings consist of our personnel security services, which is traditional facility security officer, which is our most popular service. And we also have cybersecurity, of course, as a service. We have the CMMC requirements that we partner with Biorn Group Cyber. We have traditional cyber requirements such as a risk management framework, assessment of the authorizations, the things that we're familiar with in the DOD side of the house. So we offer those as a managed service. And so that's kind of our traditional framework on what those services are. We continue to add services to that library. We have some new things that we're going to add to that as we grow the group. So that's a little bit about commercial cyber. And so we're very flexible when it comes to working with industry partners, small, mediums specifically because everyone has a tight budget, and so we do our best to help them with the requirements. So just a little bit about commercial security.

John Arnold:

Fantastic. Yeah, everything's about efficiency. Do more with less.

Warren Holt:

Yes.

John Arnold:

Brandon, would you give us a deep dive into some of, what I just mentioned, these near peer threats and why the U.S. Department of Defense is focusing so much on cybersecurity right now?

Brandon Mercer:

Yeah, sure. I'm glad you brought that up, right, because that's really the why behind the CMC program and why it's so important. When people think about hackers, it's not just talking about stealing credit numbers and things like this. We're talking about state-sponsored adversaries that are constantly ongoing campaigns, like we're talking China, Russia, other big names out there that are trying to steal intellectual property, things like that. Very important things that are mission critical. And when I say mission-critical, we're talking that supply chain in a whole.

And also they like to target things that we call it a soft underbelly, what we like to say on our side. And when I say soft underbelly, we look at these small businesses, the smalls and mediums, they're really the heartbeat of the supply chain. When people hear supply chain, they oftentimes think of the large primes, those big names, but what really important and what holds it all together are the smalls and mediums that are building these small components or something that's extremely critical to the technologies that are out there. And it's very important that we get these organizations certified and make sure we have security as our top priority because these are things that are putting our adversaries ahead of us. If they can grab hold of these small components, these blueprints, drawings, things like this that are really, like I mentioned, mission-critical, right? These can really put a detriment on the security not only of the organization, but the nation's security as well.

John Arnold:

It's interesting to hear you talk about the different kinds of attacks because for me, as someone who's had my identity stolen, when I think of things like that, even with near-peer adversaries like Russia and China, you think of those attacks on critical infrastructure or something like that. My mind doesn't immediately go to supply chain disruption and how critical that is for everything from energy to defense. It's interesting to think about those smaller organizations being targeted and needing to beef up their cybersecurity.

Brandon Mercer:

Absolutely.

John Arnold:

In order to work with the U.S. Department of Defense, companies like KBR have to be more secure obviously as well. Brandon, would you tell us about what the whole point of our conversation is today, which is the Cybersecurity Maturity Model Certification or CMMC and why it is so important?

Brandon Mercer:

Yeah, absolutely. I'm glad you spelled out the acronym for it, CMMC. So in the past many years so far it's been a requirement of that safeguarding of that CUI or that FCI. It's been a requirement in the past, but the caveat to it was we were allowed to as an organization to self-assess and attest to us being compliant. And with that came gaps. And it is not to the organization's fault, this is just you don't know what you don't know when you think about it as a whole. So the requirements of the NIST-800171 have 320 objectives, and your security on your end may look great, maybe solid what you think. But whenever you get in there and you have these professionals come in and take a look and you actually see, oh, there's some small low-hanging fruit that we can grab here and there that could actually get us to that next level and really protect our organization and our information and the things that we create.

And whenever we talk about that, some of the things that are important about the CMMC is having that C3PAO, that certified CMMC third-party assessment organization come in and it's like a second non-biased set of eyes on your organization and make sure. And it's holding the accountability to the organization as well to make sure that yes, we are in fact secure and compliant to the NIST-800171 framework. So that's why CMMC is a little bit different than what it has been in the past and what makes it so important and a lot more... It puts quality first. You think about the quality of the security and making sure that these organizations are actually hitting that milestone and that mark that is required and the standard, so to speak. And it puts that third-party assessment, it's really what seals it in. There's no more self-attestation or anything for level two and above when it comes to the CMMC.

John Arnold:

Brandon, do you mind if I ask you one off the cuff? And that is just to describe sort of what during the CMMC, what Biorn Group is looking at exactly to make sure that these organizations are safeguarded and they have those checks in place?

Brandon Mercer:

Yeah, absolutely. So like I mentioned earlier, one of the biggest aspects is that education piece, right? You don't know what you don't know. And I've mentioned it before, these organizations, whether they don't know or don't understand what CMMC stands for or what the requirements are, but it goes even deeper. Yeah, you may understand those things, but when it comes to our scope, what does our boundary look like? What does our environment look like? How do we control the ins and the outs of that boundary? And then also within it, and what Biorn Group Cyber does is we'll help you define what those boundaries and those what the environment looks like, and then make sure that you have all the measures in place. And with that comes the whole process of the gap analysis. We'll go through each individual control, each individual objective, make sure everything is sealed up very nice and tight, and the gaps that we discover or we create what's called a POAM, a plan of action and milestone, and it's kind of like a project plan. You have that project plan of how you're going to remediate those gaps, and then once you get those gaps remediated, then we can start looking at how we can possibly throw in a mock assessment and make sure everything's looking good. And then, we'll get you prepared even further from that mock assessment for that formal assessment and make sure we can grab that end goal, that true north of that final CMMC certification.

John Arnold:

Awesome, thanks so much for the clarification. Unless our listeners are majorly in the weeds on cybersecurity, which I'm sure a lot of them are because we have a lot of subject matter experts that listen to the podcast, but they might not be familiar with what CFR 48 is, which is extremely important for KBR. So Brandon, why don't we start with you, would you tell us about what CFR 48 is?

Brandon Mercer:

Yeah, CFR 48, Code of Federal Regulations, Title 48. And currently what's out there is CFR 32, so come very soon, very soon, and this is what's knocking on everyone's door is the rollout of this 48 CFR that's going to come in effect in November. November 10th is when this starts to roll out and we begin that two-phase process of putting CMMC into the requirements for your contracts when it comes to DOD support. And it's really that connective tissue of bringing CMMC as a requirement and making it into the standard that that was meant to become eligible to be on these DOD contracts and support us as a nation when it comes to security and the supply chain of whatever aspect you guys play as an organization.

John Arnold:

Gotcha, understood. Warren, do you have anything to add to that?

Warren Holt:

No, I think Brandon hit it exactly. In order for any company to do work with the government going forward, they're going to have to have their CMMC compliance, phase one, phase two. And right now, that looks like that's going to become an official policy, so everyone has to comply with it. But Brandon was spot on with defining what the CFR 48 is and what that means as far as the impact to industry.

John Arnold:

And so, really, CFR 48, is the new guideline, the standard that must be met for companies to do business with the government?

Brandon Mercer:

That's correct.

Warren Holt:

Exactly.

John Arnold:

Gotcha. So it's coming up, it's just in a few days, as of time of recording. So what is the timeline to meet requirements, the milestones that are necessary? Brandon, would you walk us through that?

Brandon Mercer:

So it's going to roll out in a two-phase process, and it stems over three years. So like we mentioned, November 10th is when this process begins and it begins that three-year phase, phase one, and this is commonly referenced as the implementation stage. So this is the time that you have to start getting your organization ready and be able to put in that work that it's going to take to get you certified. And whenever that three-year mark is up, this is in November 10th of 2028, it's rolled out, it's a standard. In order to be awarded a contract, you must be certified through CMMC, whether it is level one, two or three, whatever that might be on your organization.

And there's a caveat to this. It's a three-phase rollout, but at any time, if the DOD stems a certain contract to be more sensitive than others, they can roll this out sooner. They can handpick the contracts that they believe should have the certification requirement now. And it's one of those things, there's no information out there on what contracts this will happen to. And I tell our clients, "This could happen to your contract. If you think you might be handling some sensitive things, creating a very mission-critical component or something like this, this could happen to your contract, where the DOD says, 'Actually, we believe that you need a certification now,' and then you miss out on that three-year phase one rollout."

You'll have to be compliant at the day of award. It doesn't mean you can't bid on it, but whenever they're looking at their bids, they're going to see who's certified and who's not, and they're more likely to pick the ones that are going to be certified come time of award rather than the ones that aren't. So that's something to take into account whenever you're thinking and trying to bid on your different contracts and get those acquisitions for your organization and things, because CMMC is coming and it's coming fast.

John Arnold:

Yeah, definitely, it sounds like it, and definitely want to be prepared to seize as much opportunity as you can for a company like KBR, for example. So what are some of the challenges that contractors are facing in meeting the requirements necessary for their certification?

Brandon Mercer:

Yeah, we can talk about that a bit. I know I mentioned a little bit earlier that education piece, and this is massive. When we get in there, we like to make sure not only is the team involved in getting the education, but also the team that's not necessarily on the outskirts. We want to make it a part of the culture of the organization to understand that cybersecurity and understand their role in the requirement, because it touches on all aspects of an organization. So just understanding those different educational pieces is a very important baseline when it comes to the CMMC requirement.

And then, when we move from there, we start talking about what do those education pieces look like, we talk about our scoping and our boundary and understanding what our environment looks like. Maybe you have some managed service providers, MSPs, some ESPs, external service providers, are they the correct fit for me? Where do they fit when it comes to CMMC requirements? Because they're also required to uphold a certain portion of that. So just having those discussions with organizations, helping them pick out the solutions that work best for them, the ones that are going to ensure their compliance.

And one of the other biggest things, there's a lot of pieces that go into this, and we talk about the documentation and the policies, we go into an organization, they may be missing ...

They have no policies. They may have something small, like an acceptable use policy, but in the world of CMMC, this is very important to touch on each domain and all your policies and how your organization handles each individual piece of it, and that's a thing we do as a partnership is help out with these organizations, develop those policies, develop their documentation, collect their evidence, and then create those POAMs, that Plan of Action and Milestones, where they go in there and understanding how they can close up those gaps and close out those projects that are identified and what direction they should go. Whenever we identify a certain gap, how do we remediate that? And then, once we remediate it, how do we continue to make sure that it's going to stay in compliance? And that's that continuous monitoring piece Warren spoke about a bit ago as well.

So there's a few different things that we try to tackle as much as possible. We like to keep an open phone line as well, we like to always say, "If you have a question or anything like that from your organization, make sure you reach out and we can get those answered for you."

John Arnold:

Awesome. Sounds justifiably comprehensive. There are a lot of moving parts to it. It's interesting to think about, it's not just an evaluation of the organization that you're helping, but it's also an evaluation of organizations that the organization is working with, to make sure that all of those ins and outs and all the bases are covered. That's really, really interesting.

Brandon Mercer:

Yeah, absolutely. And it's sometimes easily overlooked as well, so it's very important, there's a lot of moving pieces to this puzzle.

John Arnold:

Yeah, absolutely.

Warren Holt:

Just to add to Brandon's comments, which is spot on, one reason that we have this team, KBR and BR together, is to help address all those many moving pieces of this for companies, because they're overwhelmed, they're overwhelmed. They're like, "Okay, where do we begin? Where do we start?" And then, what we would like to do is alleviate some of that pressure as a team to help each company to meet their compliance requirements.

John Arnold:

That's awesome. Thanks, Warren. So this is an interesting question, how is Biorn Group helping KBR overcome some of those challenges? What are some of the specific instances that we can talk about here, without going into any confidential or privileged information, of course?

Warren Holt:

Well, I'll give that a go, Brandon. So just us being in partnership together with our team and Biorn — every day we talk, every day we collaborate in a meeting, we're learning something together. Our program manager, Adriana Perkins, who's working with her team and Biorn to manage each requirement, and we're in weekly calls with the Biorn team and our potential customers and we're learning together. So that benefit to us is learning with the experts, which is Brandon and his team. And then we take that knowledge that we've learned internal to KBR, and this has actually just happened this last week, and we're sharing some of our knowledge with internal stakeholders for some of their requirements for CMMC. So it was definitely a win-win.

John Arnold:

Fantastic. Yeah, it sounds like it. Well, gentlemen, this has been amazing. Are there any parting thoughts that we want to talk about that process or any other things that you would like to leave our audience with before we let you guys go today?

Brandon Mercer:

Yeah, certainly. I want to talk about is that open phone line I mentioned, right? I know it can be overwhelming. As Warren mentioned, it's very tough going out there and staring CMMC in the face by yourself alone. And I want to make sure that we are here for any of these organizations that have questions, have concerns, we're here to answer those for you and make sure that you have that go forward path, right? Because this is a giant project and you can't get projects done without project management. And that's one of the things that CMMC is, it's a giant project and we want to help manage that project for you and get you from start to finish and ensure that you can grab that true north, as I mentioned before, isn't that compliance in the end? And that's one of the things, and that open phone line is always there.

Warren Holt:

And just to add to that, Brandon, he's right. It's all about communication flow. We don't know if we don't know. So we try to have very clear communication on our requirements as partners, KBR and Biorn. And with that, that's kind of set us apart from our competition. We're in a business and so one of our discriminators that sets us apart from the competition, we are going to work with the customer from the beginning to the end of that life cycle. What we've been noticing is some of our competition because now that CFR 48 is going to become a policy, the competition's like, "Hey, we can do it too. We can help you too." And what is that doing? People are coming in lower than everyone else. "Hey, we can do this for X amount of dollars, cheaper than you."

So what we do as partners, we kind of work within all that noise and we're helping our customer, as, yes, you have a choice to pick who knows who to help you with your requirement, but if by you coming over to KBR and Biorn, we're going to help you from the beginning and then we're going to help you through your phase one, your phase two, and then all the hard stuff that comes after your certification. This is the things that people don't realize. The continuous monitoring of those security findings in the POAM, the IAVA compliance, which is your patch management, all those things is what companies don't want to do. That's the minuscule work, but it's very important work. Our team helps you the entire time after certification, after your phase one, after phase two, we're with you as a partnership, and as long as they stay with us, we're going to be committed partners and we're going to meet those goals because at the end of the day, we all have the same objective, right?

We're here to make sure that we keep our data secure, we keep our people secure, and as partners, Biorn and KBR, we're going to give you the best product. At the same time, we're going to build a relationship with you. This is long-term relationship. We see this as a marathon and not a sprint. And so our discriminator is we do the entire life cycle of CMMC from cradle to grave, and the best way to get in touch with our team is through our global email address, that's KBRcommercialsecurity@us.kbr.com. KBRcommercialsecurity@us.kbr.com.

Brandon Mercer:

No, Warren, I think you hit it nail on the head, right? I mean, it's been a great episode. I appreciate John for having us on here. I had a great time. It was a blast.

Warren Holt:

Yeah, same.

John Arnold:

Yeah, it's been a pleasure, and thank you guys so much for telling us about what KBR is doing and what Biorn Group is doing, and the services and support offered to really shore up businesses and supply chains at a critical time, and we couldn't be more happy that we had you guys on today. We appreciate your time.

Warren Holt:

Thank you, John. We appreciate your time. Thanks, Brandon.

Brandon Mercer:

Yeah, John, thanks a lot. Thanks, Warren.

CONCLUSION

John Arnold:

As you can see, when it comes to cyber readiness and resilience, the stakes are high and the requirements to protect digital environments are strict. Fortunately, KBR and Biorn Group are working together to meet the needs of valued customers like the U.S. DOD. We appreciate Warren Holt and Brandon Mercer being with us, and look forward to hearing about future developments in this cyber compliance journey. If you'd like to start a conversation with Warren about cybersecurity solutions offered by KBR, again, you can reach out to the team at kbrcommercialsecurity@us.kbr.com, that's Kbrcommercialsecurity@us.kbr.com.

If you'd like to say hi to us on the podcast or tell us about an idea you have for a future episode, please feel free to email us at inorbit@kbr.com.

And as always, we want to thank you, our listeners. Your time is precious. We know that, and we thank you for taking time out of your day and keeping us in your orbit. Be kind to each other and take care.