If you look around at what’s happening in the world of cybersecurity, you’ll notice one thing:
Security never stops…
Which means neither should compliance.
That’s why I invited Andrea Willis, Senior Product Manager at Exostar, an expert in continuous compliance onto the show to help you figure out how to stay compliant.
Join us as we discuss:
- The importance of continuous compliance
- How CMMC 2.0 and continuous compliance interact
- How cybersecurity is like the immune system of your organization
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player
Narrator (Intro/Outro) (00:06):
You’re listening to the Virtual CISO podcast, a frank discussion providing the best information security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hey there. And welcome to yet another episode of the Virtual CISO podcast. With you as always your host, John Verry, and with me today on a Snowpocalypse Friday, Andrea Willis. Hey, Andrea.
Andrea Willis (00:38):
John Verry (00:39):
So, are you worried about the snow where you are? You’re in Virginia, right?
Andrea Willis (00:43):
I am just outside DC in Virginia and it now is actually snowing pretty well, but the ground’s still too warm for it to really do anything, so.
John Verry (00:52):
Yeah, they’re saying four to 11 inches here, our fearless forecasters. What are they saying for you?
Andrea Willis (00:58):
Less than two.
John Verry (01:00):
Oh. So, then it’s not Snowpocalypse for you. I have to take that back.
Andrea Willis (01:04):
John Verry (01:05):
So, always like to start easy. Tell us a little bit about who you are and what is it that you do every day?
Andrea Willis (01:13):
Such a weighty question. I am a product manager in the risk and compliance space. I’ve been a product manager now for 15, almost 16 years, specializing in cybersecurity for the last seven or so at a bunch of different areas of cybersecurity, as well as different sizes. I’ve been IBM, Big Blue. Super large organization. But then I’ve also been identity and access management where it was 200 people. But it’s given me a good grounding on all the components and aspects of what organizations need to do in order to comply with NIST 800 and CMMC.
John Verry (01:55):
Cool. So quick, just out of curiosity, professional curiosity, I can’t help, but ask. What product were you product manager for, for IBM?
Andrea Willis (02:04):
So IBM. I had two stints there. The first I was their cloud email security and vulnerability management. So partnered with Proofpoint and Rapid7 for their product set. And then my second go round I was in the security services space where I focused on manage SIM.
John Verry (02:04):
Andrea Willis (02:22):
In particular, our customers who used arc sites and Qradar.
John Verry (02:27):
I was just going to ask you, yeah. Because IBM was a place where all the SIMs ended up. You had network intelligence ended up there, you had Qradar end up there. There was one other product that ended up there as well. So, that’s interesting. Okay, cool. So before we get down to business, we have a tradition. We got to ask, what’s your drink of choice?
Andrea Willis (02:48):
So my drink of choice in almost every situation is going to be unsweetened iced tea. I am definitely a northerner. I do not like sugar in my iced tea. But if I’m in a social situation and I’m not driving anywhere, I will do some vodka-based drink. The best one I’ve ever had was a limoncello martini, so.
John Verry (03:14):
A limoncello martini, especially sitting in a cafe in Rome, pure delight. And I haven’t had one in Rome, I have had one in Florence. So yeah, it’s awesome. And then, I got to ask on the green, on the tea, is it a black tea, an Orange Pekoe, you go green?
Andrea Willis (03:31):
John Verry (03:33):
Andrea Willis (03:33):
… regular old. Yeah, that’s my, so in the summer when it’s not cold, that is my morning drink to get my caffeine in and then I drink it all day. And then only in the winter will I do one cup of coffee. I’ll say I would take my cream with a little bit of coffee, because I like it. I like it whiter than a full strength.
John Verry (03:57):
Yeah, that’s not coffee, but please don’t embarrass us all. That’s no longer coffee at that point. That’s a dessert, okay? You’re eating dessert in the morning, which you shouldn’t feel very good about. Actually, the funny thing is we always have a pitcher of unsweetened green tea in the fridge and we usually squeeze a bunch of lemons and fresh oranges into it. Absolutely great drink.
All right, so let’s get down to business. Thanks for coming on. As anyone who is in the deep CMMC space knows there’s tons of changes the last 18 months. And I still think, unfortunately there’s some general confusion on what an organization needs to do to be compliant at this point. Also, I think there’s some confusion on how we expect this, how they think this will evolve over the next six to 12 months. So, give me your thoughts right now, like where we are as far as you see it?
Andrea Willis (04:51):
Hmm, I would, first thanks for having me.
John Verry (04:51):
Oh, no worries.
Andrea Willis (04:55):
Second, I would agree. I think there still is a lot of confusion and I think there still will be some until the rule making for certainly CMMC 2.0, 2.1, 3.0 happens. There still is going to be uncertainty. What I tell people when they ask is, “Well, the rule of the land today is the 70/12.” Which is NIST 171, which is where I direct people. That’s what you need to do. And at the moment that just requires the SPRS score to be put into PIEE in order to be considered compliant. The good thing is, at least for what they’ve announced as far as 2.0 for CMMC is NIST. So by telling people, “Hey, go to 171, you’re going to be in good stead.” Because when, assume 2.0 stays as it is, which is NIST 171, you’re going to be in a good spot to move forward. But I would agree there still is a bunch of uncertainty, because we still have the rulemaking process to go through.
John Verry (06:05):
Right, but the good news for all of us is, the DoD’s assessment was sort of back to the future. We had been at NIST 800-171, the CMMC-AB kind of moved us forward a little bit, changed a bit what we were going to do. And the DoDs came back and said, “No, let’s just stick with what we have, but let’s just certify that. Or let’s have senior officials sign off on it.” I mean, at the net, that’s really what happened, right?
Andrea Willis (06:31):
Right. In simple terms, it is. The interesting thing is, I had a conversation with a government employee who wanted to verify NIST scores for subprimes for the contract he was managing. So they’re very cognizant about the fact though for NIST that, because it is all self-attestation and all that’s put in the system is the score, how do they verify? So they are very much looking forward to more of the CMMC 2.0, where for those organizations that have to go through an audit, there actually is going to be documentation and SSPs stored in the government system so that they can actually audit and verify that the organizations are, if they say they’re a 110, that they really are a 110, that everything is backed up by it.
John Verry (07:24):
That third-party attestation component provides a much higher degree of assurance. The title of the podcast is around continuous compliance. So, let’s talk about compliance, and it’s hard to talk about compliance without talking about security, and then we’ve used the term continuous compliance. So why don’t we get some definitions on the table here? So let’s start with cyber security and then let’s talk about compliance. And then how do you go from compliance to “continuous compliance?”
Andrea Willis (07:55):
Sure. So I did a little research and I found CISA, their definition of cyber security as the arts of protecting networks, devices, and data from unauthorized access or criminal use, and the practice of ensuring confidentiality, integrity, and availability of information. It’s pretty weighty, but that’s at least what CISA has defined it as. But compliance is, an even simpler word and term is complying with a wish or command. And in our case, NIST is the command of what we need to follow. The continuous is without stopping and without interruption. So for me, when you say continuous compliance, it is without interruption, without stopping you are still complying with what the regulation is that in this case revolves around cybersecurity. And it’s necessary because as we all well know, we see it in the news weekly, if not daily, that there is some other ransomware attack. There is some other threat actor who has done something, because they don’t stop. They are constantly trying to get into networks. And we, as organizations are trying to continually protect that they don’t get into our system.
So that’s why it’s never, cybersecurity is never a one and done. And the compliance to cybersecurity means you’re never one and done. You still have to go verify that if you have a terminated employee or an employee’s gone on a new endeavor, you need to go make sure that their access is turned off to systems. So the act of cybersecurity, you still need to do it constantly. So you kind of have to think of compliance the same way. It’s a continuous thing. It’s never, “Sure, I implemented identity and access management, but I need to now go monitor that things are still the way they need to be. That it’s still set up and configured. That nobody has come along behind.” Because some ransomware, I was reading somewhere, I don’t know if you saw it, where one of the big plays for ransomware actors now is to get somebody internally in an organization to try to get access to their system. So, it is never done.
John Verry (07:55):
Andrea Willis (10:24):
It is never.
John Verry (10:26):
As we like to say, “Security is a journey, not a destination.” And that’s kind of that idea of continuous compliance. The way I look at continuous compliance, I don’t know if you’d agree, is that to me, continuous compliance is having the processes in place necessary so that when I fall off of compliance, I have a way to know that, and I’m able to remedy that in relatively short order.
Andrea Willis (10:55):
Yes. That’s a nice way of thinking of it. I wrote my policies and my procedures of what I need to do, what my organization needs to do. And then yes, when I go audit it, if I fallen off, I can quickly get back because it’s documented right there for me to follow again.
John Verry (11:12):
Yep. Yeah. And look, and that value prop is twofold. First and foremost, of course you’re going to stay in compliance with CMMC and 800-171 and be able to maintain your contracts and things of that nature. The second thing is that I think sometimes people lose track of, you’re going to be a more secure organization that’s less likely to have some type of business impacting breach. And if you have a breach of CUI, certainly not only will that impact you in the near term, but that’s likely to impact the odds and probability that you’re going to win additional contracts, either with the agency or at the prime, right?
Andrea Willis (11:47):
Yes, no doubt.
John Verry (11:48):
All right, so I think we can agree that the good news, you talked about this earlier, that the wish hasn’t changed. Now, the wish is the same. The wish today is the same wish as it was in 2016 when DFARS, that 252.204-7012 clause that you talked about, we started to see that in contracts. It calls for 801-171 conformants. It calls for some other things as well. And people should always remember, you need to be DFARS compliant, not NIST 800-171 compliant, because there are additional requirements within DFARS. But we’ll talk about that another point. So the target is the same, what I think has changed is how you’re going to prove you’re in compliance. Can you talk about that a bit?
Andrea Willis (12:36):
Sure. So for level ones, which were the same for CMMC level ones is, if you have federal contract information you don’t have the, CUI it’s still self-attestation. Your senior executive has to say, “Yep, I sign off. Here’s what I have for those 17 controls.” To your point for the level twos, that’s where it’s going to become interesting because there’s going to be some subset group, we don’t know yet who. Who that senior executive is going to have to say, “Yeah, I sign off where we are on 171 and CMMC 2.0.” So it’s that executive who is on the line if they are falsely reporting what their score is.
But then there’s that other group of the level twos who are going to have to be audited by a third party, by a C3PAO. And that is going to have all the verification and checks that they’ve said that they’re a 100, not 110, they’re not, and here are the POA&Ms and the dates and it’s going to have a third party say, “Yep, they actually are where they say they are.” So it gives additional weight to the fact that that organization is where they are. So it’s going to be an interesting split in the level two area between the self-attestation and these people who actually do get audited by that third party.
I think we’re actually going to see organizations who maybe didn’t need to be audited are actually going to go audited because they know that that way they can get a contract, a higher level contract because they are at that point audited. Because the government’s going to say, “Great, you’re going to give me that information and verify that you are, I’ll take it.” And that would actually put them probably in a little better spot. But it’s going to be interesting once the final rule is done when those first contracts are going to come out with that three month grace, three month-ish grace period before those contracts have it. The flood and fury of organizations that are going to get audited at that point.
John Verry (14:38):
Yeah, I think you’re right. And I think you’re reading [inaudible 00:14:42] right in that there will be some people that are going to want to get the audit. I think there are some nervous Nellies, some of our clients are incredibly risk averse in the DIB and are really worried about that they might have a breach and that would impact their business. And then I think you also have the other side of the fence, we’ve got a lot of DIB clients that believe that it would be a strategic advantage, a competitive differentiator to have a certification ahead of their key competitors. And so we’re even seeing probably five or so, or six of our current clients are actually going to become CMMC certified prior to the rule making. They’re engaging with C3PAOs now, and they want to get that certification because they think it’ll be an advantage.
I think you’re right. So, what you just talked about, this idea that if you were a 7012 contract holder, DFARS 7012 contract holder, as it renews or as additional task orders are issued, it becomes a 7019. Which now will necessitate that you put a score into SPRS. And if you’re going to put a score into SPRS as the owner manager of the organization, key stakeholder organization, you’re going to want to have some basis to know that you’re putting a score and that’s accurate. If you are a senior authorizing official that has to sign off on a CMMC 2.0, you’re going to, again, need to have some basis for your opinion.
And in the third case, if you’re going to pass a CMMC audit, you’re going to need two forms of evidence that’s for each practice that demonstrate persistent habitual execution of said control. Really in all three of those cases we’re going to be reliant on our compliance program. Correct?
Andrea Willis (16:29):
John Verry (16:30):
All right, so talk about, from your perspective, give it, so if somebody’s a little fuzzy on this, what are some examples of what we might be tracking compliance with and how we would actually go about doing that?
Andrea Willis (16:43):
Sure. So, a perfect and easy example is access control. That’s probably one of the biggest 122 different individual controls. And one of the biggest areas there is you have to control and monitor remote access sessions. So it is control and monitor. So you’re going to have to show that you have the controls and the processes in place, but then you’re also going to have to show the continuous monitoring. So you’re going to have to track if it’s a monthly report, weekly report, whatever, that you are actually doing that monitoring along with it. Continuous, it’s not one and done. It’s not that you’ve just done the policies and procedures, which you have to do, that’s the first step. But then you actually have to show that you have that in place where you actually are doing the monitoring.
You can do this again with physical protection. Another area is if you actually are back in the office or have a data center and you have visitors, guests who are coming in. You need to have that policy in place, but then you also need to document that your visitors sign in, and that they’re escorted the whole time they’re in the facility. That you’re doing all the pieces you need to do for the physical protection Of those systems as well.
There’s lots of examples. You can go into personnel. Briefly talked about it. You have new employees come on, you need to track that you have the process for giving access, but then you need to track that you’re giving access to new users as well as then deactivating users when they leave the company. Either by termination or because they move to a new job. So it’s, life is continuous. All these things that keep going that you need to document that you’re doing the steps to show your two steps. You have the policy and procedures in place, and that you’re actually doing those steps later.
John Verry (18:36):
Yeah, I think that’s one of the things that we see as being, so CMMC 800-171, they are the recipe for a good, strong cybersecurity program, much like ISO 27001, or FedRAMP or HITRUST or NIST cybersecurity framework or SOC 2. And one of the things that we’ve seen over 20 plus years of doing this kind of stuff is, it’s relatively easy to put the controls in place that are necessary to build the cybersecurity program. But as you’re doing that, it’s critical to what we call operationalize the program, which is to put the other processes in place to make sure that these happen on a continual basis. And that we’ve got the mechanisms to identify when they stop happening. And we have the mechanisms to identify or to ensure that they produce the artifacts that we need. You see that same challenge over there, your career?
Andrea Willis (19:30):
So, it’s interesting, because I’ve been in cybersecurity now seven-ish years. And the one thing that keeps coming up is the personnel, the people to do the jobs. That organizations are not finding the resources, keeping the resources because of intense competition to have that resource and that skillset in their organization. For large organizations it’s very easy or easier, because they have some of the deeper pockets to have those resources. But for the medium to smaller business, they don’t necessarily have that. And that’s where the MSP or the MSSP, the managed security, managed service provider, or the managed security service provider become very critical. And I think they can help organizations operationalize because they can augment your resources, or augment the service that you need to do to reach that compliance.
Some of the things are, you need identity and access management, while you can actually go to an MSP to actually get that service where they can actually package the software up for you, and then give you the reports back on that compliance that you then as an internal person would actually have to verify. But yes, the operationalization is a big thing if you don’t have that skillset in-house to even know how to start that component. And so that’s what I see more with some of the customers I talk to is how they can get the skillset for things they don’t have in-house that they know they need, especially as NIST and DoD has identified a number of controls as being more critical. And that’s why they have the negative five weight when you start going to look at the SPRS score.
John Verry (21:22):
Yeah, the way we say it is that you need the expertise on the front side to know what controls need to be in place and how to define those and how to get them documented. And then the next thing that we need is to make sure that we’ve got the trust, we call it the trusted ecosystem necessary to execute those controls. And the trusted ecosystem requires two things. Means the right people. And when I say the people, we need people that have appropriate qualifications. People that have the scope of knowledge, people that have the amount of bandwidth and time, because that’s one of the challenges we all have. And then you also need the right products. Because very often you’re going to be relying on a product like you mentioned, an identity management, a multifactor authentication, a security information event management solution, something of that nature. And those three things in combination, when there are combined optimally are going to give, position you for moving towards that state of continuous compliance that we were talking about.
So let’s talk about that. So, beyond, if I just asked you out of the blue, like, “Hey, you were on this podcast and you were pitching continuous compliance, I’m a business owner. What would be the value of me doing what you said?”
Andrea Willis (22:28):
There’s a lot of value in. I think if I were starting, the first thing I would do is have some tool or something that I can actually do my GAP assessment to figure out where I am on the compliance continuum spectrum of what I need to do. Because you need to visibility into what is going on? There are a number-
John Verry (22:54):
You’re fighting hard right now not to plug your product, so I’m going to-
Andrea Willis (22:58):
No, I’m actually-
John Verry (22:58):
So I’m going to step in and actually plug your product, right?
Andrea Willis (22:58):
John Verry (23:01):
So Andrea, just to be clear, is with Exostar. And Exostar has a GRC platform, I guess, would be a generic way to describe it, but they have a great platform for organizations that are in the defense industrial base that need to implement a 171 or CMMC, and they need this platform to operationalize, workflow, document their cybersecurity program. And it is a significant supporter of the continuous compliance efforts that we’re talking about, correct?
Andrea Willis (23:34):
Correct. But actually I was stumbling on, actually, I think it’s NIST actually has their cybersecurity framework with the five phases of cybersecurity and the things you need to do. And I was actually, it’s a companion to the compliance and knowing what you need to do and doing the GAP assessment for NIST, but you also need to know the whole framework. So, to understand what respond means as far as … Because the NIST framework, sorry, the NIST 800-171 control is that you have an incident response plan. But there’s more to it than just knowing and having an incident response plan, so that’s why I was referring, stumbling over referring back to the NIST framework, because that respond actually has probably five or six steps to it. Getting legal involved and having all the steps, you know what to do before an incident happens.
So, it’s kind of a combination of things. Because continuous compliance, it’s great. It’s my wheelhouse, it’s what I’m working in. In particular the CMMC and this 800-171, but it’s more critical that you need to be cyber secure. So overarching more being secure, because being compliant doesn’t mean you’re secure. I say that every webinar where I go and do my workshop of my product, “This is great. You’re going to be compliant by having your SSP and your POAM reports and knowing your SPRS score, but you’re not done.” In order to be cyber secure there’s, to your point it’s that continuous cycle and making sure that you have the tools and techniques and everything and processes and everything in place so that you are more secure. That’s the goal of what the government is really looking for is-
John Verry (25:26):
Yeah, security. They want-
Andrea Willis (25:28):
John Verry (25:29):
They want to stop intellectual property leakage, which is critical to our national economy and security. So let me ask you a question. So I agree with what you said that you can be … Security and compliance are different, and you can be compliant and not secure. But I would say a little bit differently sometimes. I would say, and I’d be curious if you agree, that if you have optimally designed and implemented your cybersecurity program, then compliance is security in the absence of change. Because what we, if you think about it logically, risk manage, and you were managing information related risk, controls and mechanisms that reduce risk. If we implement those controls perfectly, that means that we’ve gotten to a point where our risk is being perfectly mitigated to a level that we find acceptable. Then if nothing changes, now we all know everything changes every day, but a as nothing changes, then we’re okay. And then what happens is the ongoing operation of your cybersecurity program is, “Okay, what has changed? And does that necessitate a change in the implementation of my controls and the way that I monitor my compliance?”
Andrea Willis (26:43):
John Verry (26:48):
That was a very short answer-
Andrea Willis (26:49):
It was a very long question.
John Verry (26:49):
… for a very long question.
Andrea Willis (26:51):
If people see the video, you’ll see my face as I was going through that. Because as you said, and clarified, it’s the absence of change. There is no change, yes, at that point, compliance is security, but life, world, everything is change. Yes, it is change. So that’s where it was the easy. Yes, it is. So to your point, any changes that you need to watch and monitor would actually necessitate, could necessitate modifications to your security program, which would then potentially update your SPRS score because you’ve changed something and you’ve now moved further along the continuum of cybersecurity, so.
John Verry (27:38):
Excellent. So, we talked about, I think we’ve done a good job of communicating key value propositions to continuous compliance. You talked about vastly improve security posture, which mitigates the risk to the business. We’re going to be an ongoing concern. We don’t have to worry about waking up one morning and finding out that some malicious hacker from some far away country has locked up all of our data and we’re no longer in business. You talked about, and I agree with you completely, that minimizing that timeline to detect an incident and respond to it before it becomes a business impacting event. And then of course, we talked about if you are going to, if that in any way that you need to communicate your conformance with 800-171 is going to require some form of compliance and ideally continuous compliance? Whether it’s SPRSs, putting a score into SPRSs, whether it’s a senior official attesting to the operation of the environment, or whether it’s surviving a C3PAO assessment.
Andrea Willis (28:40):
Yes, I would actually, it’s interesting, when I was working at IBM, Ginni Rometty was still the CEO. And one of the big things she talked about was cybersecurity is more like the immune system of a human body. You’re going to get sick. And it’s how your body responds to it that is cybersecurity.
John Verry (29:05):
I’m going to steal that, by the way. I like that.
Andrea Willis (29:08):
It’s a perfect analogy. Because everybody understands that one because I get a cold or I have allergies. There’s something in that biological response. Well, cybersecurity’s like that. And your organization, you have to be perfect every day in order for something to not happen. Whereas the threat actor, malicious intent, human mistake of a configuration of a server, it just takes one thing.
So the quicker you can then identify that something’s happened or you have the separation of systems. We all, OT systems that are air gapped, so that you protect certain things so that people can’t get to it. The things you can do on that would minimize the immune response of the body, the cybersecurity response. So to your point, Ponemon does a study every year with IBM, where they go look at how quickly organizations one, know that they have an incursion and two, respond to it, and then the average cost. They do it globally across many industries and … But 200 days to know that you actually have an incident is huge. That’s, and then another 70 plus days to actually remediate and get it out, so that’s why the average cost of a breach is $4 million right now. So-
John Verry (30:39):
That’s a staggering number.
Andrea Willis (30:40):
It’s staggering. And a lot of the DIB companies are smaller companies, that’s not-
John Verry (30:44):
They’re not going to survive. They’re not going to survive-
Andrea Willis (30:45):
They’re not going to survive that. So the more we can do through the programs and things that have identified from this 800-171 run can help them be more prepared. And so it is, I get a little bit of a stuffy nose with that cold, rather than it taking me down and I have flu and I’m in the hospital kind of thing. So, that’s the nice thing about the continuous compliance. It can help you identify those areas that you need to focus on. Certainly the negative five ones. Those are the ones that have been identified as primary, I won’t say primary focus, but of critical importance, that if you’re going to start somewhere, start with those items and getting those addressed.
John Verry (31:32):
Yeah, they have higher, naturally they have the high … They address your highest risks. The five is indicative of the fact that they have the highest risk mitigation capacity, which is probably why you should do them early on in the process. The other thing, which was interesting when you were mentioning that idea of it being an immune system, and you know you’re going to get sick, that’s really consistent with what the government and CISA and the presidential executive order are talking to, which is Zero Trust. Isn’t Zero Trust sort of the same model that you just talked about? It’s, look, you are going to be breached. It is going to happen at some point. And we can’t stop people from clicking on bad phishing links, we can’t. So it’s really not about, I mean, yes, we want to prevent what we can, but if we don’t also recognize that it’s going to happen and we don’t have the mechanisms in place, the continuous compliance mechanisms to identify it and mitigate its impact, we’re going to get sunk.
Andrea Willis (32:28):
It’s a good way, yeah.
John Verry (32:29):
That’s Zero Trust, right?
Andrea Willis (32:32):
That is, that is.
John Verry (32:32):
That’s kind of cool. How long ago was she talking about that? Because I mean, that’s almost like a Zero Trust approach she was talking about a long time ago.
Andrea Willis (32:39):
It was, probably 2015.
John Verry (32:41):
That’s not that long ago.
Andrea Willis (32:43):
John Verry (32:43):
Because John was talking about it over at Forrester, probably you started maybe 2011 you started hearing that buzz, Zero Trust. Although, that buzz has gone from a buzz to just giant drums beating.
Andrea Willis (32:56):
And everybody tries to, “Hey, I’m a Zero Trust product and I.”
John Verry (33:00):
Oh, drives me crazy.
Andrea Willis (33:01):
Yeah. Yeah, and it’s just, assume you don’t trust anybody really.
John Verry (33:07):
Zero Trust is not a product. Zero Trust is an approach. It’s a philosophy I guess, would be the right way to put it. And you have to implement that philosophy consistently, and if a product says there’s Zero Trust and you plug that in, it’s of no value if it philosophically you haven’t implemented that philosophy uniformly across your environment, or uniformly across the enclave associated with that particular class of data.
Andrea Willis (33:33):
Yes, and to be truthful. Most organizations don’t just do it on the enclave, do it for the whole company.
John Verry (33:43):
Oh, listen, I agree. But I will say this is that I’m a fan of not boiling oceans. And I do think if you tried to do it in most organizations across the enterprise, especially any reasonably sized organization, any organization that gets up past multiple locations, hybrid cloud infrastructure, things of that nature, or IT/OT. Someone who’s got shop floor and stuff of that nature. Man, start with something super high risk, and then learn and figure that out. And then kind of expand is I think probably a good thought process.
Andrea Willis (34:19):
True. I actually had a webinar question that came up where they had one user who had CUI. So they wanted to know, did they need to have a separate instance of Outlook and email up in GCC High to protect that one user who would potentially get CUI through email and communication. And it’s like, “Yes, you have to protect that one user from.” And if you don’t want a separate system, that means then you have to protect that system that everybody else is on, so.
John Verry (34:51):
Yep. And just to be clear, for anyone listening. GCC High would be one way or GCC would be one way to protect that, there are others. You could use other file transfer mechanisms. You could use PreVeil, you could use some type of FTP site. There are other ways, but that’s a very elegant and simple answer is to just use the Microsoft solution, because they’re probably already on it.
Andrea Willis (34:51):
John Verry (35:14):
All right, so.
Andrea Willis (35:15):
Their question was particular to GCC [crosstalk 00:35:18]-
John Verry (35:17):
I gotcha, yeah. So I think we’ve made a good argument for what continuous compliance is and why it would be useful and why you should be thinking about it. So what are some of the critical tools that people will probably end up leveraging in as part of their continuous compliance program?
Andrea Willis (35:38):
So this is where I would plug certification assistant for my [crosstalk 00:35:42]-
John Verry (35:42):
I already did. So you’re not allowed to qualify-
Andrea Willis (35:42):
I know you already did.
John Verry (35:45):
No, no, go ahead, plug it. Just joking around.
Andrea Willis (35:48):
You did a nice job, very nice job already.
John Verry (35:50):
And it’s always better when somebody else pitches your product than yourself. It sounds a lot more trustworthy.
Andrea Willis (35:56):
Right. So other tools I would say is we have another tool called PolicyPro. So if you don’t have policy procedure documents, this is a great way to get you started with templates, but it will also do an analysis to see if your policies actually comply to NIST 800. It has machine learning algorithm that can do that analysis. So those would be easy places to start policies, procedures and compliance. But there are, as you mentioned, there are other tools that we’ve talked about that can actually get you if you do these three things. You’re pretty well along the 800-171 compliance. Identity and access management, the two factor, and then a security incident and event management tool. You can use those by themselves, or you could go to an MSSP where they would then have the eyes on the screen. Looking at the alerts that come off your telemetry of your devices to see if there’s any anomalous things going on.
There are other tools out there that can also do the anomalous behavior detection. A CASB tool would be something certainly easy to help. And then I threw in here, and before the announcement of the Zero Trust, if you’re a larger, I say larger, middle, larger of the medium, like a privileged access management tool. I actually had to kind of explain that to somebody. And they were like, “What do you mean?” So this is where you can do a single one-time password for users who now need to go onto your servers to do admin functions. And this way you control access so not, me as a user, I don’t have full-time admin access. There has to be a reason and it’s audited and it’s tracked and it’s a one-time password. And as soon as I’m done and log off, I can’t use that password again.
Didn’t realize with Zero Trust how key that was going to be to the conversation. But there are things like this that you can do pretty easily. And if you do the three, the SIM, the access management, you can get a lot of the controls knocked out with just a few of the tools. And there are organizations, if you have the pockets like Microsoft, where you can get a number of the tools in one from one vendor. Because they have identity access, they have, I want to say, is it Security Center? So they have the same.
John Verry (38:21):
Yeah. They just, they’re changing that now. It’s, you know the Defender?
Andrea Willis (38:24):
Yes, Microsoft Defender.
John Verry (38:27):
Defender, you used to think of it as being an endpoint. It’s like, it’s their AV. Not anymore. Defender now is becoming kind of the brand. And that security and compliance center seems to be kind of becoming Defender. And they have Defender for clouds, Defender for SaaS, they just do. They make more changes in that environment on a weekly basis. I mean, every time I go into Microsoft, I’m confused because I can’t find what I was working on the last time I was in there.
Andrea Willis (38:53):
It’s just, it’s also a good option if you want one vendor who can give you a number of things just by buying their product set.
John Verry (39:02):
I like that idea a lot, especially if you’re an SMB or SME. If you don’t have a dedicated security team of six people, trying to put together a best of breed and having independent tools from independent vendors, get all the training on it, pick the products, make sure they seamlessly inter operate and then keep them running optimally is a yeoman’s task. So I think I agree with you. I’m a big fan of Microsoft for that reason. Because they give you an amazing amount of technology for the price that they give it to you for or in my opinion. Then I also think another great product that way, and I think SIMs, as you mentioned are critical to 801-171. I mean you’re probably talking about without a SIM, you’re going to struggle with probably half to 40% of the controls to be able to demonstrate that.
So like one we like is USM Anywhere from AT&T Cybersecurity. It used to be the old AlienVault product. Because what that does is it also kind of puts in place a bunch of tools. Because you’re going to need a vulnerability and configuration management tool. You’re going to need an asset management tool. You’re going to need some type of threat feed, And the cool thing is it kind of does all of that. It’s got an instant response module to it. So that’s a cool tool as well, I agree with you there. You mentioned some good ones, PAM. I hadn’t really, that’s really good if you’re going to go towards the Zero Trust. There’s some, a lot of our clients are not just CMMC beholden. They’re doing comms or they’re doing weapons systems, so they have RMF ATO requirements.
So they’ve got either CIS benchmarks or the D STIGs. So like a tool like Netrics or SteelCloud is really cool. If you’ve seen that, that’s really cool. NASAs, Qualys of course. So I think these are the types of tools that I think that the people are going to be having their environment and be using on a regular basis as part of these continuous compliance programs. And again, I’ll put in a pitch for a GRC platform product. I think yours is an excellent one, but if for some reason somebody doesn’t want to use yours, you will find that a GRC platform will make this idea of having a single source of truth, everyone looks at one dashboard. Everyone knows exactly where you are and you can expose your auditor to that when they come in, and you can use at the basis for your opinion when you’re actually senior authorizing official and sending him that attestation. I think those are all going to be great things to help you.
Andrea Willis (41:29):
Yeah, yeah. Because I will say, and I heard you say this yesterday in a webinar, John is. “Make sure you have the SSP to actually back up your SPRS score.” That’s-
John Verry (41:41):
Well, technically you shouldn’t have a SPRS score-
Andrea Willis (41:44):
You should [crosstalk 00:41:44]-
John Verry (41:44):
… if you don’t have a great SSP. I mean, because it’s the gating, but I’m amazed though. I got clients that are saying, “Oh yeah, we have a score as SPRSs.” I’m like, “Oh, what is it?” “Oh, it’s 75, we’re trying to improve it.” I’m like, “Oh, okay. Can I see? We’d like you to help us.” “Sure, no problem.” “Can I get a copy of your SSP?” “Well, we really don’t have an SSP.” I’m like,” “You have a score in SPRSs and you don’t have an SSP? How did you get past that?” “Well, I mean we kind of have.” “No, no, no, no guys, guys you are not in a good spot right now. If DIB CAG walked in the door you got a false claims act on your hand. You were doing, you don’t have what you need. Let’s get that fixed as soon as possible.”
Andrea Willis (42:27):
When you said that, I just about fell off my chair.
John Verry (42:31):
So we’ve done a great job of kind of following a logical process. So we know why we’re doing it. We see the value of it. We see how it relates to what we’re doing with the DIB. We know what the tools are that we’re going to use. Where do you see companies, so people can anticipate problems? Where do you see companies having problems getting these programs stood up, especially the compliance side of it?
Andrea Willis (43:01):
This is going to sound kind of weird, talking to customers. I think it is, if they haven’t started it, they don’t know where to start. Some already have started because they’ve been in the DIB a little longer and on contracts and they just sometimes don’t know where to start. And this is where I plug your company. Getting a gap assessment or working with a partner like Pivot Point to actually get started is where I … It’s probably one of the biggest ones I keep saying to people is, “Here’s partners. Here’s, they can get you started on the path of where you need to go.” That’s really where everybody is. They don’t, if I’m having a conversation with them, they are already in the path and they know, and the ones who don’t actually have no clue. And it’s, “Here’s where you need to start. You need to start with a partner like Pivot Point.”
John Verry (43:54):
Pivot point. Yeah, we see, like the calls that we have is there’s two things, A, they don’t have the manpower in-house, and that’s very common, especially manufacturing concerns. Security hasn’t been top of mind necessarily. So they don’t have large staffs to handle this stuff. And then the second thing is, they might not have the expertise either in InfoSec itself, or in interpreting some of the DFARs and NIST documentation.
Andrea Willis (44:23):
I would say one of the other things we hear frequently, and I think I heard it on your webinar yesterday. Also, people don’t know CUI, how to identify CUI.
John Verry (44:36):
It’s brutal. No, no. And it’s actually not their fault. I mean, it is, we haven’t … I got on a call the one day, it was an organization. They were deciding if they were going to work with us, they were interviewing vendors. And before we got on the call, we literally had a 90-minute conversation where they had a list, like a full Word document list of, is this CUI, is this CUI, is this CUI? And the reality is like, we had on the phone on our team a guy who led the 800-171, and CMMC compliance programs for a Fortune 500, six divisions. And we had a DIB CAG auditor that’s on our team on the ground. And it was like, “Well, it depends.” Or it was, “Well, we’d have to see this, or we’d have to see that.” There’s a lot of complexity to that. And unfortunately the agencies and primes are not great yet at properly and optimally labeling everything.
So I know the DAU was working on that, and I think that’ll be something really important. And I think we’ll see vast improvements over the next few years. So I agree with you. I agree with you completely that that is a big challenge for a lot of people. Because if you can’t specify, if you can’t determine what CUI you have, then you can’t fundamentally produce a system security plan. Because CUI relevance is store process or transit CUI. If you don’t know what CUI have, how do what people, what systems, what applications, what network segments, what geographic locations are integral to your CUIs enclave scope, and your system security plan?
Andrea Willis (46:12):
That’s a key to the whole thing, isn’t it?
John Verry (46:15):
Yeah, it absolutely is. So you had, when we were prepping for this, we had an interesting conversation. And I’m curious and I thought you had a different, an interesting perspective on it. I’m trying to figure out that when the rulemaking is complete. So you’ve got multiple components of that. You got the 32 CFR, Title 32, CFR 32 and Title 48 CFR I think they’re called. So when, in your opinion, when that rulemaking occurs, does that mean that we no longer have the CMMC phase-in period? That at rule make rules in place now every DIB contract is subject to CMMC, where we jump to 7021 for everyone? DFAR is 7021 for everyone?
Andrea Willis (47:00):
So, all I can do is what I’ve heard from better legal minds than I have, that there is no, what was it, a three, four year horizon for 1.0.
John Verry (47:13):
Yeah, 2026 I think they said, yeah.
Andrea Willis (47:17):
The first rumblings were that there was going to be some of this phase in, but I’ve also heard that once the rulemaking is done, the first contracts that we’ll have, it will start three months later. And so from that point on contracts will have it. I don’t know if renewals will, call that clause or not the new 2.0, but I’ve at least heard that there’ll be a three month lead-in for the first contracts to have it on it. But I’ve not heard the official, it will be over a three, four year horizon.
John Verry (47:50):
Now, I think you said when we chatted that you’d heard that through Metzger, who I think, Robert Metzger. And just a plug for Robert Metzger, he is a must follow on LinkedIn if you’re in the DIB. He is a, I think he’s a lawyer, correct?
Andrea Willis (48:05):
He is a lawyer. He’s a partner who specializes in the DoD DIB space, in particular with NIST and CMMC.
John Verry (48:15):
He’s one of the smartest reads that I have found. I make sure that if he publishes something, I try to read it. Been trying to get him on the podcast, but he is super busy. I still hope that he will eventually be on, because I think he’s got some really cogent observations with regards to where he thinks things are going that are probably the best predictions of anyone that I’ve seen.
Andrea Willis (48:36):
Yes, anyone I’ve seen. So when he speaks, I listen.
John Verry (48:41):
Yeah, you and me both. What was that, EF Hutton?
Andrea Willis (48:45):
John Verry (48:47):
Andrea, I don’t know how you or I would recognize that EF Hutton commercial, because neither one of us, clearly neither one of us are old enough to remember when that was originally playing. Ah, all right. So you’ve done a great job, thank you. Is there anything else that we missed that you think we should discuss?
Andrea Willis (49:08):
So, the last thing I would mention is, be truthful. In your SSP, in your SPRS score. If it’s a negative 26, put a negative 26. If it’s 25, put 25, be truthful, have that SSP to document what your score is. But also, as we’ve talked about, it’s continuous compliance. So keep working to finish and sign off on a POAM and get additional points and keep updating SPRSs as your score improves. Show your improvement to the government and your prime partners. Because it is a continuum. It is the continuous journey that we’ve talked about, but you need to be truthful. John Ellis from DCMA just recently, actually on the podcast with Bob Metzger had mentioned that for the assessments of the assessors that they’re doing, a number of them claimed that they were over a 100 points in this. And 70% of those they found actually could not support the score over a 100. 70%, I don’t know how many organizations they actually had done the analysis for, the investigation within DCMA, but that’s huge. And these are the assessors, so-
John Verry (50:28):
These are the most knowledgeable, ahead of the curve group. And out of those, 70% can’t support their score.
Andrea Willis (50:35):
John Verry (50:35):
Which means, what percentage logically? I would bet you that would mean that 95% of conventional DIB companies are not going to be able to support their score.
Andrea Willis (50:45):
So just be truthful. That’s what I tell everybody when they’re trying to let their primes know, “Be truthful with your score, and then have the documentation to support it.” And then you’re okay. But just keep working to get better to improve that score. And then as your score improves, make sure you put it in the PIE system. And that would be the one thing I would want people to know.
John Verry (51:10):
I could not agree with you more, and I give the exact same guidance. So I know you did your homework, just knowing the kind of person you are. So, I know you’re prepared. Usually I have to ask people like, “Are you prepared for this question?” But I know who you are, so I know you’re prepared for this question. So give me a fictional character or real person that you think would make an amazing or a horrible CISO, and why?
Andrea Willis (51:31):
So the funny thing is, I love this question. We just, and I immediately came up with the answer because I just finished watching the new season of Ozark on Netflix. And I realized Wendy and Marty Byrde, the two main characters, Marty would not be a good CISO. However, Wendy would be awesome. She would be an amazing CISO. She would fight for the security team to get the budget and get things done. Wouldn’t be afraid to blackmail the CEO into getting what’s needed for the security team to actually do what they need to do. A little frightening in that she would be so good, but she would certainly make sure that that organization did everything they would need to do to be cyber secure and protect those company’s employees, customers and assets.
John Verry (52:23):
So I have not watched Ozark. My son says it’s his single favor thing perhaps that he’s ever watched. So, and most of my family’s watched it. So, and it’s funny, because my sisters, two of my sisters independently told me, so Marty, I guess, is the Jason Bateman character?
Andrea Willis (52:41):
John Verry (52:41):
They said that as they’re watching it, they’re looking at their spouse and going, “Oh my God, that’s Johnny.” And my family, they call me Johnny and they say the character, that there are elements of his character that are me. And so it’s, so I have to watch it, and I will admit, I actually watched the first episode maybe about a month ago. And I thought the first episode was ridiculously good. And my problem is my wife is an avid reader, so getting her to be willing, and she wants to watch it, but I don’t get a chance to watch that much TV. So, I really want to watch the second episode, but haven’t gotten around to it. Because the first episode was fantastic.
Andrea Willis (53:21):
It’s fantastic. It’s dark. And it’s, the acting is just spectacular. But yeah, if you had asked me like the first season, I probably would not have said Wendy Byrde would be a good CISO. I probably would have said Marty. It’s only as her character has developed in the last that I’m like, “No, no it’s Wendy.”
John Verry (53:45):
I like Bateman. I think he’s a great actor. I mean, back in the day there was a show, Arrested Development.
Andrea Willis (53:45):
John Verry (53:50):
Kind of had a cult following, but I loved Arrested Development. I loved the tall skinny guy, I forget what, Will something or another, who plays one of my favorite roles of any movie of all time is Blades of Glory. And he plays the other figure skater with, they compete against, it’s a Will Ferrell and Napoleon Dynamite, I forget what his name is. Anyway, I’m off track here. So, last question. You chat with folks like I do every day. Any potential topics for future podcasts you think would be interesting?
Andrea Willis (54:26):
I will fully admit, I did not know this podcast existed until you asked me to join, so I have not listened. So, I had my snarky answer like, what is the meaning of life?
John Verry (54:37):
Andrea Willis (54:39):
John Verry (54:39):
You recognize that word?
Andrea Willis (54:40):
- I do. I do. I actually read the books. I think an interesting one in security space that’s probably not as well understood for an average team is probably DNS and the role DNS plays. That might be something interesting to talk about and why it’s important. Because DNS, if you look at your DNS exhaust that’s coming out of your systems, you can then see if you’ve been encouraged? Because they have to, if they’re doing DGAs or DNS tunneling, you can actually see that in your DNS traffic. But also, probably one of the bigger things, and this gets back a little bit to the Tenable and their products, Nessus, you need to know all your assets that you have that you need to protect. Not just for CUI, but for your whole organization. And DNS can actually help you identify assets that are calling out to the internet that you may not be aware of. So that’s why I like DNS. I think it’s –
John Verry (55:51):
Lot of information.
Andrea Willis (55:52):
Core and critical, a lot of information that you can derive from.
John Verry (55:55):
Yeah, one of the other things that I think DNS is good for in that way, but that same idea is IoT devices. Because we just don’t know. You plug things into your network. I mean, and whether it’s a monitor, whether it’s a refrigerator, whether it’s an Alexa, whatever they might be. I mean, they’re all outbound talking, your video cameras. And if you don’t know exactly what they’re talking to, or if you don’t know that they’re being properly updated, you’re going to end up in a situation where we had the Mirai botnet that’s going to cause you some pain at some point. So I think that’s that actually. And that’s one of the cool things about that is that as you go towards continuous compliance and as you go towards 800-171 performance and you have a good SIM in place, naturally you’re going to be able to see that.
In fact, what’s really cool is if you implement a good SIM that has a threat component to it. Like a threat exchange, like I talked about, like the AT&T Cybersecurity Product, USM Anywhere. As those new, so if an IoT device is outbound talking to a known bad actor, like a command and control, you’ll actually already have that flagged through that DNS lookup. So what’ll happen is your SIM will say to you, “Hey, you’ve got a device on your network. Here’s the IP address, here’s the host name. And it’s talking to a known compromised host in this country. You should probably dig into that. And if you want, click here to block that from talking any further.” So I like that thought process. Well, this has been fun. Thank you. If someone wants to get in contact with you, what would be the easiest way for them to do that?
Andrea Willis (57:22):
Sure. So the two easiest ways are Twitter. I love Twitter. I follow a lot of cybersecurity people as well as product people. And my handle is @andreasaraw, S-A-R-A, no H, W, so I’m out there. As well as LinkedIn, just Andrea Willis on LinkedIn. Happy to connect to anybody and have any conversations there.
John Verry (57:48):
And I’m going to guess Sara’s a middle name?
Andrea Willis (57:49):
It is. It is.
John Verry (57:53):
Andrea Willis (57:54):
I did that, how long ago did we have AOL and its chat function?
John Verry (58:01):
Yeah. Oh yeah. Listen, I’m going to pretend I don’t know what you mean by AOL, just because most people listen to the podcast think I’m 29, and who would, 29-year-olds don’t know what AOL is. I mean, you’re not going to tell me you know CompuServe and your original email address had numbers in it, are you?
Andrea Willis (58:19):
John Verry (58:20):
Okay. So I’m not going to tell you that either for me. Listen, have an awesome weekend.
Andrea Willis (58:20):
Thank you, you too.
John Verry (58:26):
Thank you so much for being on, I appreciate it.
Andrea Willis (58:28):
Thank you, John. Have a great weekend too.
Narrator (Intro/Outro) (58:32):
You’ve been listening to the Virtual CISO podcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at firstname.lastname@example.org. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.