Last Updated on March 16, 2023
“Compliance” is too august and fraught a term to be labeled a buzzword—but lately there’s a lot of buzz around compliance, especially when the word “continuous” precedes it.
What does continuous compliance really mean these days and why is its importance escalating for US defense industrial base (DIB) orgs?
To give SMBs in the DIB (or in any industry) a vision for how to attain and sustain compliance with their cybersecurity obligations, a recent episode of The Virtual CISO Podcast features Andrea Willis, Senior Product Manager at Exostar. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
Compliance and cybersecurity are inseparable
How do compliance and cybersecurity relate to continuous compliance? Andrea lays out the dictionary style definitions. She notes that, according to the Cybersecurity and Infrastructure Security Agency (CISA):
Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.
“But compliance is an even simpler word, meaning ‘conforming with a wish or command,’ states Andrea. “In our case, NIST 800-171 is the wish or command we need to follow.”
“Continuous means without stopping and without interruption,” adds Andrea. “So, for me, continuous compliance means that without interruption and without stopping you are still complying with that regulation, which in this case revolves around cybersecurity. Continuous compliance is necessary because the attacks, they don’t stop. Attackers are constantly trying to get into networks and we as organizations are trying to continually protect so they don’t get into our systems.”
Continuous compliance is (obviously) never done
Because the threat environment and your internal IT environment are always changing, both cybersecurity (the controls) and compliance (the monitoring of the controls) need to be “continuous.”
“That’s why cybersecurity is never a ‘one and done’ and the compliance to cybersecurity means you’re never ‘one and done,” Andrea acknowledges. “For example, you still have to go verify that, if you terminate an employee, their access to systems is turned off.”
“The activities of cybersecurity you always need to do,” explains Andrea. “You have to think of compliance the same way. Sure, I implemented Identity & Access Management. But now I need to go monitor that things are still the way they need to be. That it’s still setup and configured. That nobody has come along behind and… So it is never done.”
Continuous compliance has 2 big value propositions
“As we like to say, security is a journey not a destination,” shares John. “The way I look at continuous compliance, it’s having the necessary processes in place so that when I fall off of compliance, I have a way to know that and I’m able to remedy that in relatively short order.”
“If I wrote my policies and procedures for what my organization needs to do,” replies Andrea. “Then, when I audit it, if I’ve fallen off I can quickly get back because it’s documented right there for me to follow again.”
“That value proposition is two-fold,” John points out:
- You need to stay in compliance with CMMC 2.0 or NIST 800-171 to be able to maintain and uphold your contractual obligations and avoid repercussions from non-compliance
- By continuously complying with your policies and procedures for how you operate your cybersecurity controls, you’ll have a more secure organization that’s less likely to have a business-impacting breach
“If you have a breach of CUI, certainly not only will that impact you in the near-term, but also that is likely to impact the probability that you’re going to win additional contracts either with the agency or the prime,” cautions John.
To listen to this podcast episode with Andrea Willis from Exostar in its entirety, click here.
Interested in more thought leadership on continuous compliance? Don’t miss this podcast with Mosi Platt from Netflix: EP#68 – Mosi Platt – Why Continuous Compliance Matters More than Ever
New CMMC V2 Certification Guide
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.