Last Updated on June 29, 2021
Many SMBs that are investing in security services, including threat detection/response tools like endpoint detection & response (EDR) and network detection and response (NDR) are looking for both security and compliance benefits. Can today’s managed security solutions help streamline cyber compliance, especially Cybersecurity Maturity Model Certification (CMMC) and/or NIST 800-171 requirements?
To discuss the full spectrum of benefits from managed security services, a recent episode of The Virtual CISO Podcast featured Chris Nyhuis, President and CEO at Vigilant. John Verry, Pivot Point Security’s CISO and Managing Partner, hosted the show.
Vigilant offers a unique blend of “team + technology” that goes beyond automation, to stay ahead of threats instead of playing catchup. But can Vigilant services address CMMC requirements in areas like security monitoring?
According to Chris, the answer is an emphatic yes: “With just the three services we provide on the Vigilant side of the business, we meet around 82% of the CMMC requirements,” asserts Chris. “And, really, spinning up CMMC compliance is fairly fast in our client environments. … I mean, just 24-hour turnarounds, and installations that take less than an hour to really spin up a very mature infrastructure. You just plug things in, and turn it on. … So it’s not hard to get there.”
Chris continues: “We had a defense contractor that had a two-and-a-half year rollout plan for CMMC that would make it impossible for them to meet any deadlines, and $1.5 million [cost] to deploy. We probably should have charged more, because we were able to [quickly] deploy, and we got them to $27,000 a year. From other things they had, plus us, they ended up with about 8% of things they still had to do.”
“With CMMC, what a lot of companies are doing out there is just checking the box, and you can’t do that. You have to deploy CMMC in such a way that not only meets [compliance], but also gives you good security. Because no one’s going to care if you’re CMMC compliant if you get hacked. You’re still going to lose your contract,” contends Chris.
“The second big mistake that we see people making is they don’t understand compensating controls,” Chris observes. “There’s a lot of different things you can do that add up to fulfilling a control, and organizations may already be doing a lot of these controls, if you combine them. So they go out and spend a significant amount of money getting new controls that they already have covered by their compensating controls.”
“Just to be clear, you’re covering 82% of controls that need to be implemented, not 82% of the work that needs to be done to become CMMC certified,” stresses John. “Because you’ve got to start with scoping, you’ve got to conduct a risk assessment… Because of the process requirement, you’ve got to document all your policies, standards, procedures. You’ve got to make sure that you’re generating the observable artifacts across the different use cases; two data points for each control.”
“But I agree with you completely, that you could probably take that whole [CMMC] Audit & Accountability domain, and just go, ‘Well, that’s done,’” reassures John.
“A lot of these organizations, … they don’t know themselves very well,” Chris adds. “We’ll come in, and we help the auditors that are coming in, understand what’s going on better, so that way those organizations start at a very good spot, and then move forward.”
“Not only that… so much of CMMC [compliance] is generating the auditable artifacts and the evidence, right?” says John. “Your tools can be used to evidence a large chunk of those controls.”
SMB security leaders looking toward CMMC and/or NIST 800-171 compliance will surely appreciate this podcast episode with Chris Nyhuis, Vigilant CEO.