March 11, 2022

Last Updated on January 18, 2024

As the US Department of Defense (DoD) rolls out its new cybersecurity program around CMMC 2.0 and NIST 800-171, “continuous compliance” will soon be a business imperative for thousands of firms in the defense supply chain. Are there benefits to all that data gathering besides not violating your contract terms? How can continuous compliance support your business to grow and succeed?

To help SMBs in the US defense industrial base (DIB) understand what continuous compliance is all about, a recent episode of The Virtual CISO Podcast features Andrea Willis, Senior Product Manager at Exostar. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.

Continuous compliance strengthens security

Andrea is quick to acknowledge that, while continuous compliance is a wonderful thing, what’s most critical is keeping intellectual property and other sensitive data secure.

“Being compliant doesn’t mean you’re secure,” Andrea concedes. “I say that every webinar: ‘This is great. You’re going to be compliant by having your System Security Plan (SSP) and your POAM reports and knowing your SPRS score… but you’re not done.’ It’s that continuous cycle and making sure you have the tools and processes and everything else in place to be cyber secure. That’s the goal the government is looking for.”


“Security and compliance are different,” responds John. “But I would say that if you have optimally designed and implemented your cybersecurity program, then compliance is security in the absence of change. If we implement controls perfectly, that means our risk is perfectly mitigated to a level we find acceptable. Then… the ongoing operation of our cybersecurity program is, ‘Okay, what has changed? And does that change necessitate a change in the implementation of my controls and the way that I monitor my compliance?’”


“So, any changes that you need to monitor could necessitate modifications to your security program, which would then potentially update your SPRS score because you’ve now moved further along the continuum of cybersecurity,” Andrea amplifies.

In short, continuous compliance has the potential to vastly improve your security, which reduces business risk. Compliance reporting can also help detect an incident and shorten response time, reducing business impacts.

Continuous compliance can help assess security and compliance gaps

Another way that continuous compliance tools can help improve security is by making it easier to “gap assess” your current environment and know where you’re out of compliance, e.g., as an early step to planning your continuous compliance roadmap. Exostar’s Certification Assistant SaaS tool is one of the best solutions for DIB orgs that need to implement a NIST 800-171 based cybersecurity program. Certification Assistant can help to operationalize, workflow and continuously document the compliance artifacts you need to know where you are (or are not) compliant, provide evidence to back up an SPRS score and POAMS, etc.

John brings up a zero trust precept: “You’re going to be breached. We can’t stop people from clicking on bad phishing links. Yes, we want to prevent what we can. But if we don’t also recognize that it’s going to happen, and if we don’t have the continuous compliance mechanisms in place to identify it and mitigate its impact, we’re going to be sunk.”

Indeed, with the cost of a data breach currently averaging about $4.24 million, many SMBs might not survive a successful cyber-attack.

What’s next?

Ready to start brainstorming a continuous compliance roadmap for your business?

Contact Pivot Point Security to connect with a NIST/CMMC expert.

To listen to the complete podcast episode with Andrea Willis from Exostar, click here.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.