Navigating the Cybersecurity Maturity Model Certification (CMMC)

Host (00:00):

Hi Jodi Daniels here. I’m a certified information, privacy professional, and I help provide practical privacy advice to overwhelmed companies. I’ve worked with companies like Deloitte, The Home Depot, Cox Enterprises, Bank of America, and the long list of other companies over my career. And I’m joined today by my husband, Justin.

Host (00:24):

Hello, Jodi Daniels’ husband. It’s great to be here. I am a cybersecurity subject matter expert and business attorney. I am the cyber quarterback, helping clients design and implement cyber plans as well as help them manage and recover from the inevitable data breaches we have these days. Additionally, I do provide cyber business consulting services to companies.

Host (00:52):

This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technologies, SAS, e-commerce, media, professional, and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more, visit redcloveradvisors.com. So today I’m really excited for our guest, Justin, who do we have here today?

Host (01:33):

Today? Our guest is Craig Petronella. Who’s an IT cybersecurity compliance expert and Amazon bestselling author. And his latest book is the CMMC accredited, registered. Oh, I’m sorry. It’s the Ultimate Guide to CMMC and he is also a CMMC accredited registered practitioner. Yes, my wife is frowning at me because I used a lot of words and not correctly, but since I know Craig, I may get a pass. Welcome, Craig. Thank you. Thank you so much for having me.

Host (02:07):

Yeah, this is fun. So, you know, it’s always nice to understand there’s a lot of letters, so help us understand how has your career progressed so that you now are an expert and helping companies with a CMMC accreditation?

Host (02:25):

Sure. Yeah. So I started many moons ago in April of 2002. In 2006 we really focused on managed security services and compliance for various regulated industries, HIPAA for healthcare, for example, DFARST compliance or NIST 80171 compliance for federal defense contractors. Last year the CMMC came about, or the cybersecurity maturity model certification was developed in joint effort with the Carnegie Mellon Institute, that original creators of the CMMI. It was in beta form last year and it finally came out 31st of January of this year, 2020. So I really focused heavily on the CMMC because I believe that it’s the new ISO standard for cybersecurity. And I think it’s really going to transform other regulations in our country, such as HIPAA for healthcare, since that was enacted in 1996 by Bill Clinton. And that was ages ago and it really is a lot of gray matter there.

Host (03:32):

So I think it’s due for an overhaul. And what I like most about the CMMC is that it really helps increase or improve the cybersecurity maturity level of organizations. So they’re not low hanging fruit to get hacked as easily because now there’s no faking it anymore. There’s no more self-assessments you have to get a third party assessment done by an accredited what’s called C3 Pao. And they have to come on to the premise to actually audit all of your controls in cybersecurity. So, you know, Craig, I just thought about something you just mentioned that HIPAA was passed in 1996. I think that’s the same year that they passed the telecom act, which was in 1996. And so it brings up an interesting question that I just thought of and get your perspective. So those laws were passed in 1996 before the internet, before a lot of the technology that we have today.

Host (04:28):

And so I’d love to get your perspective on how you feel that technology has impacted those laws that we have now, because CMMC is now kind of the latest in the evolution of cybersecurity law. And maybe you can help us understand how cybersecurity has evolved from laws in 96. And now when you’re talking about your expertise in CMMC.

New Speaker (04:53):

Sure, well, even just five years ago, when the National Institute of Standards And Technology or NIST came out with the NIST 801 71 and the NIST 853 for security controls for controlling unclassified or controlled unclassified information or QE even back just five years ago that a lot of the spreadsheets and materials that were provided by nist.gov for free for folks there they’re a bit dated already, too. So if you go back all the way and what I mean by dated is they’re referencing on-premise servers and on-premise equipment. And now in 2020, you know, a lot of organizations, especially small startups and small organizations they’re in the cloud. So they don’t have a lot of equipment on their premise anymore. So way back in 1996 like you said before the internet and before mainstream, Amazon and zoom and all the, you know, the Facebook and social media and all that stuff. We’re due for some change there’s just so much difference compared to what was done back then to now. And back then, I don’t know if you remember Justin, but there were phone hacking and freaking was common. I don’t know if you have heard of 2,600 magazine for example, but they posted about all that stuff for years and published articles on how kids were breaking into AT&T and things like that. You know, those are, those are like the, the days in and around 1990s, 1996.

Host (06:28):

And obviously before that, too, with the phone system, but now we’ve evolved so much with the internet age. The regulations are severely behind. What I like most about the CMMC is it really helped strengthen pretty much any organization, any organization can go online now and do what’s called a self-assessment and they can go and score their practice or their firm for their cybersecurity maturity level. And they should, even if they’re not in a quote unquote regulated space, they should still do that to make sure that they’re not a Mark and that then they’re not low hanging fruit.

Host (07:04):

So for those who might not be as familiar with CMMC, can you help us understand, you know, how does the framework look? Can we kind of break it down into different parts of it? So if someone was to go and check out that free assessment, what are kind of the blocks of questions or the pieces that they’re going to be asked about?

Host (07:26):

Sure. So the CMMC is really an overhaul of the NIST framework. So the NIST framework that came out, the NIST 801 71, and the 853 controls are, they consist of policies, procedures, and security controls. So you have an organization that like, for example, I don’t use them anymore, but maybe some organizations still use thumb drives, right? So you have to have a policy around, you know, the proper usage of thumb drive, or maybe you just prohibit thumb drives and you don’t allow them in your organization. So that would be an example of a policy. And then maybe you have a security control that if an employee stuck a thumb drive into the end point, it didn’t work. So something happens. There was like a police activity that happens where, okay, this is detected, this is not authorized. I’m going to make it stop.

Host (08:22):

So that’s a security control for that particular layer. So there’s 110 security controls and NIST 801 71. And the CMMC depending on the level, there’s five different levels of the CMMC, the CMMC looks and adds to the existing NIST policies, procedures, and security control requirements. So at the basic level one, for example, you don’t have to have all 110 controls. It’s just a small subset of them, and you don’t even have to have all your policies documented. But it’s the most basic of cyber hygiene. And I, and I think that most organizations should still adopt at least level one, but then you build upon level one, as you mature to level two level three and so on. And when you get to level three, that’s the most equivalent to NIST 801 71 with the addition of extra controls and extra procedures and policies on top of that.

Host (09:21):

Well, thanks for sharing. So I think my follow on question would be, you had mentioned any organization should go and do that. Is there a thought to sort of the size organization that generally takes and picks up and applies these types of frameworks? I mean, while we would say all organizations should pay attention to privacy and security, is there a certain size, whether it’s employee size, revenue size kind of data, some metric when a company should say, Oh, I should probably start really thinking about implementing a framework like this.

Host (09:53):

Oh, through my lens. In my experience, in my perspective, I think all organizations should try to hit level three CMMC level three. I know that’s a huge undertaking, especially for a small organization, but hackers don’t care. They’re looking for low-hanging fruit. So the harder we can make it for them to penetrate your network, the better for everyone, especially if you’re dealing with anything sensitive, personal identifiable information or patient health information or anything that you don’t want to be public, you should try to strive for that 801 71 or CMMC level three equivalent. Now that’s a huge job. That’s a huge undertaking. So you know, a lot of these small organizations, maybe five, 10 people, maybe they’re using Microsoft office 365, for example, but did you know that the commercial versions of Microsoft 365, it’s not compliant. Your data could be anywhere in the world and it’s not in the U S and it’s not manned by us personnel that are background checked. So anyone that’s dealing with sensitive information should not be using commercial versions of Microsoft 365. They should be securing their data, ideally with an end-to-end encrypted solution and trying hard to find and select vendors that take cybersecurity seriously.

New Speaker (11:19):

You mean the end-to-end encryption solution that zoom claim they were using, or Microsoft, Microsoft still doesn’t have end to end encryption. So, I think that we as consumers and we need to put more pressure on our vendors and companies to adopt more strength in cybersecurity.

Host (11:46):

You missed my little side signal. So I wanted to get in on that one, which so let you know, a lot of people use Microsoft 365. It seems like there’s Microsoft 365, and then there’s Google. Like, those are my two choices for email. So for those small companies who are, or even large companies who are using Microsoft 365, what is the recommendation? Is Google a whole lot better? Is that Microsoft plus something else? Or this is a bit of a risk you are taking?

Host (12:18):

Oh, the short answer is that Microsoft has a different product suite called GCC high and GCC high for DOD. There are different special versions when working with sensitive data, that it’s a separate environment it’s inside the US and only manned by background checked US people. So what that ecosystem to GCC high is typically three times more expensive than Microsoft 365 commercial versions. And if you’re currently using a Microsoft 365 commercial version, there’s no easy button, there’s no migration path. So a company essentially has to build an architect, a brand new environment, and GCC high and start over and migrate their data manually. There’s no quick way out. In the Google ecosystem, Google has G suite or premium products that you can use any of the free services, by the way, they’re not compliant. G suite has a, um, Google puts out in the HIPAA world or the healthcare world. They, they, they will sign a BAA if you properly configure all of the security controls and the policies around their G suite premium environment. It’s still not end to end encrypted though. It does check some of the boxes and it’s not compliant with the latest CMMC. So you it’s all about a balance. You can use certain things like, um, you could use certain things but you can’t store your data in the cloud with Microsoft three 65 commercial. You have to use their GCC high solution in the Microsoft world.

New Speaker (14:00):

Thank you. Now, it’s your turn. It’s my turn, your check. Your sure? Okay. Craig, I wanted to ask you to the tail end of your last answer. You talked about how consumers need to be putting more pressure on companies to take privacy and security more seriously. And again, I’m going to use zoom as an example.

Host (14:22):

The reason the primary reason zoom has grown exponentially is because it’s so convenient to use having used teams and zoom and WebEx it’s by far the easiest to use. Having said that, you know, and this week with the FTC kind of re uh, reinforcing it is it comes with the cost of security and privacy. And so I’d love to get your perspective of how we find a better balance, because if I’m a company and being more convenient leads to better profit, it’s going to beat the pants off of security and privacy every time.

New Speaker (14:58):

Agreed, you know, security is a balance. Um, however with modern technologies and solutions, the security features such as end to end encryption could be done in the background and will not affect the end user from using the system the way that we use zoom. Now, for example, so it doesn’t have to be super complicated. In this context around video conferencing and chat, Microsoft could easily or should have from the beginning made Teams end to end encrypted. And they didn’t. These are things that we, as consumers need to put more pressure on and demand from our companies that we, they have to have these encryption mechanisms in place in the background. And I fully agree with you, and it should still be easy to use. There are new email and data systems now that allow you to use, um, the services without a password. You don’t even have to use passwords. It binds it to the end point device. So that’s even easier to use. So I think it just depends on the application and the company and their maturity level and how they craft their product. Cause one thing you said in your comment there, Craig was, you know, Microsoft teams, they just didn’t do it.

Host (16:18):

And so then the question I have would be why, and I think a lot of times the answer to why is they don’t bring the privacy and the security people into the product development discussion. They’re just not part of it. And they figure it out, we’ll deal with privacy and security and bootstrap it later, which is effectively what zoom is being required to do by the FTC.

New Speaker (16:39):

I also think that’s true. I also think that companies like Microsoft may get pressure from law enforcement as well, and from the FBI around not using something so secure, like end to end encryption, because they want the back door, they want the way in for investigations. You know, I think that encryption as a whole it’s the forbidden word for FBI and law enforcement. They do not want us all to be using encryption because criminals will use that technology and exploit it. I mean, if you’re a criminal, I want to put you in jail, just let you know, and do what’s right. But the fact of the matter is we shouldn’t sacrifice our entire country’s security because of that one thing, there should be other policies, procedures, other things put into place that don’t jeopardize the security for everyone.

Host (17:36):

Yeah. That gets to the exact issue that we have between transferring data from the US to the EU. So I spent a lot of time working with companies in GDPR and the whole issue that we have that exists now between that cross border transfer and why safe Harbor fell down and why privacy shield has fallen down is because of those very backdoors. So it’s a very real challenge that I am not going to be able to solve on today’s conversation. What- no you’re good at solving everything! I know I can’t quite solve this, but I do have a different question because Craig, you can help people solve problems. So help us understand what is the accreditation that you have and what does that mean and why would a company want to pick someone who has that accreditation? What is it that they’re getting over a Jodi who could say, well, I could do that too.

Host (18:32):

Great question. So the DOD or department of defense, they pass the Baton over to a nonprofit called the CMMC accreditation body. And that nonprofit was to lead the efforts of the CMMC also lead training resources that different individuals as well as vendors and provide certification tracks. So my company has chosen well, it’s called an RPO or registered provider organization, and I’m the first registered practitioner or RP in my organization to become accredited through the CMMC AB. And what that means is I’ve, I’ve signed off on a code of conduct for ethics, and I’ve also gone through their training. They have about 12 different exams I had to go through and pass all those exams and get my accreditation. So I’ve been vetted. And basically the reason why folks that are listening want to go to the CMMC ab.org website is to find either us or other accredited companies to work with because they’re the ones that are going to be proficient. The very complex topic it’s changing very rapidly. You want to make sure that you select a company that can help. And there’s two sides. There’s, what’s called the RPO, which is what I have the registered practitioner organization. What that means is we help with the consulting, the policies, the procedures, the templates. If you have nothing, we help you create it. If you have some pieces, we help you review and use what you have and adapt that to security controls. If you don’t have the controls, we help you build the controls, build the environment architected. So we help with that whole process. What we’re not allowed to do is the formal assessment. We can’t do the formal third-party assessment. So we choose to work with other organizations which are called C3, Pao certified third-party auditor organizations. Those folks will send out what’s called a lead assessor or a certified assessor to the, to the firm, to their premise. They’ll fly them out. Or if they’re local, they’ll drive there, they’ll show up, they’ll look over the shoulder of their IT person and ask for two forms of evidence for each of the, that they’re going after for the maturity level that thereafter with CMMC. And after they go through all of this rigorous process, then the lead assessor will submit the results to the CMNC accreditation body and they’ll get processed. And if all goes well, the firm will get their accreditation with the CMMC at the level that thereafter, if for some reason, something needs to be remediated or fixed, they can come back to us. It’s the RPO will help that, that company fix whatever they need to do or fill those gaps. Then they can get retested.

Host (21:22):

That’s quite a, quite a process. So congratulations to you and on going through it. And I think it’s really helpful to explain because it, to the average person, they might not be as familiar with it. And there’s a lot of people out there who say that they can add and do a variety of, of items. And they’re not always as I’m certified in them or always as well-versed in them. So thank you. It’s really helpful to know that.

Host (21:47):

You can hire me tonight and I can come fix your plumbing. Well, where should we go from here? I guess one thing, when I think we have a final question before we get to the two most important questions, two most important questions is, you know, we’re talking about CMMC today and you know, we talk about the, we talked a little bit about the past. We talked about the present and love to get your perspective on, you know, based on what you’re seeing now, what are you seeing as some of the trends that are going to continue in cybersecurity or the future or the things that you see happening that you’ve identified as this is going to be a challenge in the next three to five years going forward in the industry. Yeah. So I think that the takeaways from the CMMC for example is really this third party assessment process.

Host (22:47):

Self-assessments don’t work is really the bottom line companies have been self-assessing for HIPAA compliance for PCI compliance. They self a test online, they fill out a form, it might be 30 questions or 50 questions. Vendors nowadays are getting smart. They want to, they want to score the risk of who they’re doing business with and for good reason. So they create what’s called VSQ or vendor security questionnaires. I’m sure you’ve seen them. They’re sometimes five, 600 questions. They’re complicated. They have multiple tabs at the bottom. They ask a bazillion questions. Most of the folks that try to fill this stuff out, it’s like a deer in headlights. They don’t even know where to start, so they need help filling out the VSQ. All of that stuff, shouldn’t be so hard companies of all sizes should have basic cyber hygiene in place. They should have basic policies and procedures and security controls in place, and they should be audited by a third party to make sure that they’re done correctly because I get it.

Host (23:46):

I know that a lot of small organizations, they probably don’t even have an it person. It might be the owner or the brother or somebody that comes in to set them up, right. To get them going. And that’s all great. But that person may not be a cybersecurity expert and may not know, or have ill intentions, but maybe it makes mistakes in regards to security, you know, back I’m sure Justin, you remember back in the XP days and the windows days, you know, a lot of people would just do password and people still do this today. Scared, so scary. But now they’ll log on with the same credentials to the systems and they won’t take, you know, the disable, the security of the operating system in favor of, of using regular usage to make their job easier. So my point is that you can’t do that stuff anymore. You can’t fake it. Craig, I’m going to have to interject. If you’re going to reveal my password on the on the podcast, which is password, I’m going to have to cut you off. laughing.

Host (24:42):

And you can send me sticky notes.

Host (24:45):

That’s my other favorite slide. When I do a presentation of a guy who put his password on a sticky note on his monitor, and they took a picture because to your point, now we use these complicated passwords of like 10 or 12 characters with a capital letter, a number of symbol. And if you make it that complicated, well, how the people get around it. Cause they can’t remember all that. You write it down and stick it on the monitor. Well, the scary thing is how easy it is for a key logger to capture that password and key loggers are malicious software that captures your keystrokes and they exist on mobile devices as well as for Mac and windows systems and endpoints. And there’s no known way to stop a zero day key logger. You could, you could find known key loggers with traditional software like antivirus or anti-malware software, but unknown keyloggers are easy to find and available to hackers on the black market for just a hundred bucks or less.

Host (25:38):

So the only way to stop that is to not use the keyboard or use a token based system. You’ve probably seen one of these before, or maybe not. It’s called a hardware token. Yep. That one in particular is part a YubiKey. So you can use that in conjunction with a supported password manager. So you can remember this long passphrase plus you have to use the token. So if you had a keylogger on your system that knew your password is they still can’t get in because they don’t have hardware token. So doing those things together and meshing in multiple layers of security vastly improves your cybersecurity. Gotcha.

Host (26:16):

Well, so that could be a really great tip.Our question that we’re asking everybody is what is the best kind of privacy or security tip that you would want people to take away? So it can be either personal or for their work environment. Personally, the token might be my tip for today, but I’d like to hear if you have any other special tips.

Host (26:40):

Yeah. So the, the one I showed with the password using a password manager paired with a token is something everyone can do. And it’s cheap. I mean, a token like that, that I showed you is less than 50 bucks on Amazon, a password managers probably about the same, but it’s like for the whole year. So for a hundred or 200 bucks you get vastly improved security. The second thing I can give you would be multifactor authentication, almost all cloud services, support multi-factor authentication, where you get a text message or you use something called Google authenticator and it changes every 60 seconds or 30 seconds with a new pin code. So you should use those things for as many services as possible.

Host (27:21):

Yeah. I really like authie. That’s one that I enjoy and what’s nice about author is it can be mobile or desktop. So Google authenticator is always having to go to my phone and get it. So authie is kind of nice because it’s right there, it’s on lots of places.

Host (27:36):

Yep. And so for our last question, we’re going to go away from cybersecurity and just say, you know, what is something that you enjoy doing outside of your day job? So I, a few tips, a few different things. I like to do CrossFit. I started doing CrossFit about four years ago. I built a gym in my garage and I do CrossFit every day. Yeah.

Host (28:01):

Now did you take over the whole garage? Just kind of

Host (28:04):

It’s the corner, the corner. Yep. And my wife likes to, you know, especially with COVID nowadays, she uses the garage in the gym in there. So I got a full CrossFit gym in there with, you know, rower and bike a fault by, you know, the whole nine yards, you know, that’s awesome because I used to have a gym and now it’s my wife’s office and the podcast studio. It’s a multi-purpose room.

Host (28:31):

Wow. Who taught you to be a lawyer?! There you go. I guess so. Well, Hey, it’s been great to have you. I think we learned a lot today, particularly about, um, the commercial version of Microsoft three 65, particularly interesting. Um, last thing, if people want to learn more about CMMC and what you’re doing, where can they find you? They can go to my website, which is Petronella tech, PETRONELLatech.com. Download our CMMC guide book that they can download if they go to CMMC.Petronellatech.com as well as a wealth of other resources available. Okay.

Host (29:15):

Well, we’ll be sure to include that in the show notes. So thank you so much. Thanks again, Craig, for joining us.

Host (29:20):

Thank you so much for having me. This was fun. Absolutely.