EP#76 – John Verry – Government Security Guidance: How We Got Here

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (Intro/Outro) (00:06):

You are listening to the virtual CISO podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:26):

Hey there. And welcome to yet another episode of the Virtual CISO podcast, with you as always, your host John Verry. And with me today is nobody. I’m alone. Sorry about that. You’ll have to put up with me for the next N minutes or so. I thought the topic was important enough that I wanted to get it out before the end of the year. And if you work in the cybersecurity space, you know how crazy busy it gets this time of the year. And I wasn’t able to get anybody to commit. Plus this year’s particularly hard, because so many people had vacation time left over and are taking a lot of December off.

John Verry (01:00):

The reason again I wanted to get at this out as quickly as possible is an increasing number of the conversations I’m having with our clients are around, how do we respond to what’s going on in the US government? In terms of the accelerating guidance that we’re getting, in terms of things like NIST SP 800-171, especially if those clients have things like ISO 27,001 already in place, or they’re going to pursue ISO 27001, and trying to figure out what’s the best way to deal with this. So that is what the topic is for today. And I think it is a very, very important one.

John Verry (01:38):

This is a daunting slide. I’ll try to go through it fast. But I think it’s important that we understand a little bit about the history of US government guidance of note and how we can see the acceleration. And we can see how this is going to logically impact all of us, whether or not you do business in the government, or even if you do not do business in the government. So way back in November 2010, the Presidential Executive Order 13556 established controlled unclassified information as a category. The idea was to simplify, at that point there were 100 plus classifications of similar data. And that was a challenge to communicating within the government across branches, as well as communicating with the people that were working on behalf of the government and helping them understand how each form of data should be cared for. A couple things which are relevant there.

John Verry (02:35):

32 CFR is important. That is how that was codified into law. And then the idea of the NARA, National Archives and Records Agency. You can and look up something called the CUI registry. Because CUI covers a ton of information that you might be processing. So most people thinking, “Oh, we don’t work in the defense industrial base.” The defense industrial base is one of 20 different categories of CUI data. We’ll talk about that in a bit.

John Verry (03:02):

2014, we had the NIST Cybersecurity Framework from President Obama. That established a framework for managing information related risk. It was supposed to be used by critical infrastructure. It has been Hmm, moderately adopted, I would say. We hit December 2016, and now we finally have a new framework NIST SP 800-171, which is intended to help define the expectation for the controls that should be implemented for the CUI, which was developed in November 2010.

John Verry (03:35):

Immediately thereafter, the defense industry started to use this extensively, the DOD, because what they were doing is putting this as a requirement into contracts because we had been bleeding a lot of our defense industrial base information. Unfortunately, that didn’t work all that well. Folks were self attesting to it at that point. “Yep. I did it.” They often did nothing more than take a piece of cardboard or construction paper and put into X with a crayon on it and send it in. And unfortunately, we still continued to bleed intellectual property and our national defense was compromised. So in June 2019, DCMA, the Defense Contract Management Agency said, “Hey, we’re going to need to start enforcing this.” And they built something called the DIBCAC. You might have heard of a DIBCAC audit. And the DIBCAC was a group that grew to about, I believe, about a hundred-ish auditors that would go around and audit entities in the defense industrial base to ensure that 800-171 was being implemented properly to protect the CUI, the DOD CUI.

John Verry (04:38):

There was concerns about that scalability. And the CMMC AB accreditation body came out with CMMC version one, the Cybersecurity Maturity Model certification in January 2020. The idea there is that we can build a program where we can make it easier and more scalable in that we’ll have non-government auditors that we can go authorize to go out and do these audits. And we’re going to enforce CMMC, which required audits to confirm 800-171 and was implemented, not self attestation, across the 350,000 plus entities that are formed the defense industrial base. Very, very aggressive idea.

John Verry (05:28):

At the same time, and it did not get nearly as much press, this came out with the privacy framework, which I think we’ll have some bearing as we progress further down the road. In may of this year, again, solar winds and some of the other issues that we’ve seen in the last year, the Presidential Executive Order 14028 came out. A lot of the language in there. A lot of the things that you see in there are going to be everyday terms that you hear and talk about. Zero trust, supply chain security, software security, and the recognition of that. And perhaps software labeling so that you know that the software was developed properly. IOT device security was explicitly called out. In fact, the FTC was directed to develop an IOT labeling program. In other words, a way of crediting IOT devices to make sure that they’re secure. We’ve seen similar in Finland and Singapore already.

John Verry (06:22):

And then the other thing which is very important is that we saw that the government is doubling down on the cybersecurity and infrastructure security agency. What did I say? Is it security or system? It’s security. I’m right. I got it right. Yay. I always get that one wrong. Because CISA also is a certification that I have and I always mix the two up.

John Verry (06:45):

But what it did was really shows that CISA is critical, right? They’re part of DHS. They are really in charge of United States’ enforcement and guidance with NIST being the body, which will produce the standards that they leverage.

John Verry (07:05):

2021, December this year, this month, in fact, CMMC v2 came out. That was post DOD review. In large part, what they said was, “We already had a good program before CMMC v1. We like some of the ideas of CMMC v1. We don’t think we need to audit everybody. And we don’t think that we need to add additional controls to NIST SP 800- 171, which CMMC v1 did. So they took the additional controls out. They’re setting up some rules for who needs to be audited and who doesn’t need to be audited. What also might be very significant is that in the original roll out of CMMC v1, we thought that would happen over a five to six year period.

John Verry (07:45):

The way CMMC v2 is happening is it’s going to be pushed into CFR 32. CFR 32 applies to all contracts. So in theory, once CFR 32 is updated, somewhere between 9 and 15 or 18 months from now, CMC might be obligated for all contracts rather than that phase in period. So going to be interesting to see how they deal with that. And then January 2022, we’re expecting… it’s already out in draft, the NISY Secure Software Development framework to be published or shortly thereafter, that’s important, right? It’s a direct response to Presidential EO 14028, and that software security. So if you’re in the SaaS space, if you’re developing software and any of that is going to either be working directly with the government or downstream from the government, going to be critical that you are prepared for this stuff.

John Verry (08:40):

So we talked about CISA. Why CISA is so relevant is CISA is originally directed to guide these 18 critical infrastructure sectors. If you take a look at that list, it is broad and it covers a lot of what we’d expect and it covers things you might not expect. So our financial services programs, our healthcare programs, our IT programs, are all considered critical infrastructure. So if you don’t have a US government entity as a client, but you have clients that live in any of these sectors, then you are going to see this as a flow down requirement.

John Verry (09:26):

So that is why I think whether or not you have US government clients or not, you are going to need to account for being able to demonstrate that you’re secure and compliant, minimally to NIST SP 800-171, whether at some point in the not too distant future. And when I say not too distant future, I’m talking about anywhere between six months and three or four years. Now we talked about CUI and why CUI is relevant is because CUI defines the types of data that you might be processing. So if you’re processing any of these types of data that you see on the CUI registry, like I said, you can go to NARA, National Archives and Records Association. They maintain this list that you can see on this slide here, that I’m looking at a partial image of that list.

John Verry (10:18):

And you can see the 20 categories of data. So I mentioned defense industrial base and 350,000 entities that service that as being obligated to NIST 800-171 conformance, based on the fact that they process CUI. If you work with any of those, or you work with anyone in the financial space. By the way, student records are considered CUI. Intellectual property is considered CUI. Information with regards to our transportation system. So law firms, softwares a service firms. In a sense, almost any company that’s a viable business is probably servicing either the critical infrastructure or someone processing CUI, and is going to end up being beholden to these standards as time goes on.

John Verry (11:14):

So how should you respond? In my opinion, and my opinion is worth exactly how much I’m charging you today to listen to this podcast. I think you need to recognize that this is not an if, it’s a when. So the first thing that I would say is pay attention to what’s going on. I know this stuff can be painful and it can make your ears bleed. This is what I do every day, all day. So to me, it’s kind of exciting. But if you’re trying to run a business or if you’re trying to keep a business operational, you’re CIO, CTO. I know it’s hard to stay at top of things, but use Google keyword searches, Google alerts. Pay attention. What’s going on with CMMC? When is that moving into law? When does CMMC go into CFR 32, and what happens? I pay attention to what CISA is out there… they issue these things called directives. Be aware that people are going to start to ask you, and you’re going to start to see it in your contracts or in the security questionnaires you get from your clients.

John Verry (12:22):

Things like, do you have a software bill of materials, if you’re a SA provider? Are you leveraging zero trust architecture in your security programs? And you that’s another good two other places where you can kind of stay educated is make sure you’re talking to your marketing and sales folks and see what’s in the RFIs, RFPs, what’s being asked for. And then also go down and talk to any people that are responding to security questionnaires from your clients and ask them what they’re looking for. And if you happen to be in a regulated industry, if you’re, let’s say, in some form of banking or a registered investment advisor, what is the SCC asking you for? What is the FDIC asking you for? Pay attention to that. Get that information, because you need a head start on this stuff.

John Verry (13:08):

Nothing happens fast in information security. Getting from zero to ISO 27,001 certification in most organizations is a seven to 12 month exercise. Getting from zero to CMMC certification is a similar timeframe, same with SOC 2. So in the event that you need to actually get there, you don’t want to know that one month before you need to get there or you lose a contract. Or one month before you need to, and you want to bid on a contract and you’re not able to.

John Verry (13:38):

Get educated. What is CUI? Go to the NARA registry, look and see what’s there. Are we processing these types of data? If we are, what is going to be my response? When am I going to put my company in position if somebody asked me that question, that I’m able to answer it, right? That I’m provably secure and compliant.

John Verry (13:57):

Same idea with NIST SP 800-171, which are the sets of controls that are required by that. Become aware of something called FAR 52.204.21. I think that should be 21.

John Verry (14:14):

What that basically is, is the 15 basic cybersecurity requirements that are required to protect what we refer as federal contract information. So at a floor, if you’re an organization and you are not able to achieve conformance with those 15 basic cybersecurity requirements, that’s going to be a problem. So minimally, that’s got to be… And I would try to get you there fast. The reason I would say you should go there fast is, A, you don’t want to lose out on something. B, if you don’t have those 15 in place, you’re probably less secure than you should be. And you’re greater risk than you’d probably like to be as somebody who’s operating or working in a business.

John Verry (14:55):

If you believe me, and why wouldn’t you, you should start to build NIST into your information security program as soon as possible. What do I mean by that? What I mean by that is look, I’m an ISO 27,001 guy. I love the standard. Anyone who’s listened to this podcast knows that. ISO 27,001 is not going away. SOC 2 is not going away. You’re going to still need these standards because still you’re going to have a lot of customers that are asking for them. But what we need to start to do is blend NIST into our ISO 27,001 information security management system or our SOC 2 cyber security program. And how do we do that?

John Verry (15:34):

So a simple way to do that is cross reference controls. Perhaps a better way to do that would begin to take that as a requirement into your ISO 27,001 information security management system, and perhaps even develop your policies in accordance with NIST. Use NIST as the underlying information security framework. I’ll show you that in the next slide.

John Verry (15:55):

And then last, while you’re looking at the CUI registry, please pay attention to determine if the CUI that you’re processing is also personal information, as defined by GDPR, APAC, California Consumer Privacy Act, NIST Privacy Framework. Because you’re going to want to also be in a position in the not too distant future, to be able to address the privacy questionnaires that you’re going to be getting from organizations. You’re going to want to be able to answer that question when someone says, “Do you have a CCPA conforming privacy program?” With a resounding, “Yes, sir. You can still continue to give your business.”

John Verry (16:34):

So we talked about if I’m already 800-171 conforming, and I want to move to ISO 27,001, because I have non-DOD non-federal clients that are asking about it, or if I’ve got ISO 27,001, but I know many of my clients, either our downstream participating in the government stream and they might be flowing down requirements to me.

John Verry (17:01):

What’s the best way to do this, right? So we can add 800-171 to 27,001 or vice versa. Those are rough approximations from a Venn diagram perspective, but you see a lot of commonality between 171 and 27,001. I would estimate it as being the additional effort that falls outside of the two common. As let’s say roughly a third or so. So if you were to, let’s say, be moving towards ISO 27,001 right now, it would be probably a good idea to take a little bit more time, and perhaps spend a few more dollars, but get to a point where we’re actually both 8001-71 and 27,001 conforming, provably so at the end of that process.

John Verry (17:52):

Now, you can also do it in a slightly different way, is we can just account for NIST. So one way you might account for NIST would be just to continue to leverage your existing ISO 27,001 system, but then go back and cross reference your ISO 27,001 policies, probably Annex A aligned policies. The Annex A is the list of controls, also known as ISO 27,002. The long form is known as ISO 27,002. It’s a list of your ISO 27,002 controls. And you can get a map that shows you how each control is mapped to an equivalent NIST control. So if somebody says, “Hey, are you conforming with NIST?” Well, you can show them now, here’s my policies. And here’s how they actually map NIST.

John Verry (18:40):

Now, because of the way ISO works. And the fact that ISO is what we refer as a risk-based framework. ISO does not mandate the implementation of a control. ISO says you should consider this control. And then based on your risk appetite, based on your client, your organizational context, that’s the types of data you process, who your customers are, what your client contractual obligations are, what your legal obligations are, what the laws and regulations that govern the operation and the types of data that you process, all those kind of funds things about your organization.

John Verry (19:14):

It says, understand that and then implement controls that are proportional to that risk and achieve your risk appetite, your risk acceptance criteria. So it’s possible that you’ve implemented an ISO control in a way which is ISO conforming at that point in time, based on your context, but it’s not yet NIST 800-171 conforming. So be aware that. And what you might want to do is actually, rather than just cross reference, cross reference and update. And that just simple cross referencing is very little, 10%, maybe even and less. There’s really cool way that we’re starting to do this with a lot of our clients. If you’re starting on ISO 27,001 from the beginning, and you don’t have a lot of your controls well documented, what most organizations would typically do is begin to document their policy standards and procedures using the Annex A controls within ISO, because that’s the way it’s architected to work.

John Verry (20:11):

So there’s something in ISO called the statement of applicability. That’s a document that says, “Hey, I considered these 114 controls in Annex A, and here’s the ones that I implemented. Here’s the ones that I didn’t. And here’s why.”

John Verry (20:23):

So what most people don’t realize is that you don’t have to use the Annex A controls as the basis of your control set for ISO 27,001. So what you can do, which is a cool idea, is you take… let’s say that you know that you’re going to have flow down. You know you’re going to need to conform with 800-171, in the not too distant future. Let’s say that you are providing… I almost used a client’s exact product, because we’re doing it with a couple clients. We’ve got a couple clients that provide products into the electrical utility space. That’s critical infrastructure.

John Verry (20:59):

So they’re not only being asked about 800-171 or ISO and things like that in that industry. So what we’re there is we’re actually documenting their controls, not using ISO 27,001. In one case we’re using NIST 853, which is the broad base of controls. In one case we’re using NIST 800-171, which are the ones that are specific to CUI as the basis of our cybersecurity program. And then what we’re doing is then the ISO 27,001 is just an attestation that the information security management system, which uses those controls underneath, is operating properly.

John Verry (21:39):

So I hope that was worth the roughly 15 or 20 minutes of your time. I truly believe that what’s happening in our federal government, I think they finally have gotten it. I think that they understand that our national defense, our sovereignty, if you will, our ability to be an important economic player in the world economy is based on our government being secure and the critical companies in our economic system also being secure. I think they recognize that. I think they are going to increasingly enforce the concept of that happening. And that is why I think this guidance is going to be relevant to you all. Thanks guys. Stay safe out there.

Narrator (Intro/Outro) (22:31):

You’ve been listening to the virtual CISO podcast, as you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.