In this episode, we introduce CMMC-Spin a bi-weekly feature that delivers CMMC content directly to your inbox. Redspin’s CISO, Dr. Thomas Graham, CMMC Sales Director Jeremy Mares, and CMMC Provisional Assessor Tony Buenger chat with us about how to stay current with the evolving CMMC news and updates, talk about their advice around documentation and training, and wrap up the episode with a briefing on GCC-H/VDI and creating a secure enclave in preparation for a CMMC assessment.
Sign up for CMMC-Spin here!
LAUREN FRICKLE (HOST): Welcome to CyberSpin, the podcast that brings you expert insights into today’s hot topics in cybersecurity, privacy, and compliance for highly regulated industries. Subscribe to CyberSpin on Apple, iTunes, Spotify, or your preferred podcast platform and a transcript of each episode can be found at www.redspin.com Hello, Welcome back to CyberSpin Redspins’ podcast. I’m Lauren Frickle and in today’s episode we’re going to introduce our CMMC newsletter, CMMC-Spin, we’re going to talk about what the newsletter is, who it’s for, and talk briefly about the first two issues, in case you missed them. To chat about all of this, we have a team of Redspin’s finest! Joining me today is Tony Bunger CMMC Provisional Assessor here at Redspin. We also have Doctor Thomas Graham, our CISO, and Jeremy Mares, our CMMC Sales Director. Hey guys, let’s jump right in on Jeremy’s first question for you. What is CMMC-Spin? Tell us and please tell us who it’s for.
JEREMY MARES: Thanks Lauren CMMC-Spin is Redspin’s biweekly newsletter, dedicated to CMMC and the evolving ecosystem. Our goal with the newsletter is to touch on key topics that we feel are important for organizations to be aware of as they’re pursuing their own CMMC certification. With each installment of the newsletter, we’ll be highlighting a variety of topics that may be applicable to the Organization’s Seeking Certification for CMMC. With rolling out a compliance framework as robust as CMMC is, we all knew that there were going to be some rough spots early on. The DoD continues to work hard in smoothing out those rough patches and polishing them into a final product. Which makes CMMC an ever-evolving framework. Our hope as a candidate C3PAO is to provide continued updates to everyone as we are providing guidance ourselves and be a source of accurate information as we continue to help pave a path to a final evolution of CMMC. Our goal with the newsletter is to help everyone seeking CMMC certification, both Level 1 and Level 3 and eventually Levels 4 and 5. This includes organizations of all sizes and industry verticals. Whether you are a manufacturer or university doing research or a health care provider with DoD contracts, the requirements for each Level of CMMC are going to be very similar in how they’re applied to organizations across all spectrums. So if you’re an organization in the CMMC space, signing up for the newsletter will provide your team with valuable insights on requirements from a C3PAO assessors perspective and what’s needed to meet the expectations for that requirement as well as timely and accurate information as new updates are provided by the DoD and the CMMC-AB in general. If you’d like to subscribe to the newsletter, simply go to the CMMC certification services page at redspin.com. It’s that easy!
LAUREN FRICKLE: OK, thank you so much, Jeremy now Tony. Hello and welcome back to the podcast a question for you. Our first issue of CMMC-Spin talked about CMMC, documentation, and training. Can you give us a bit of a briefing on what was covered in that first issue? One thing that’s unique about this newsletter is Tony, as a CMMC Provisional Assessor, a lot of you and your team actually write the content for this newsletter, so a lot of the information that folks receive in this newsletter comes firsthand from CMMC experts such as yourself. So back to my question Tony, tell us about that first issue that talked about documentation and training.
TONY BUENGER: Sure, I’d be glad to talk about that first issue we covered on the two major areas that can make or break an assessment for an organization seeking certification, and that is documentation and training. CMMC goes above and beyond your typical NIST SP 800-171, where you need to just complete the 110 controls. CMMC adds an additional layer to this compliance framework, which is called processes, which means you need to follow these processes, document your processes to ensure that the organization has implemented those CMMC practices, also known as security controls that are repeatable and lasting throughout the organization. So the basic concept is that documented processes that are not known to operators cannot be performed or even performed consistently, so that’s what CMMC is looking for throughout the assessment to be sure that yeah, it may be clear that you can do the job, but if it’s not written down or documented, then there’s no proof that you can do that in a repeatable, lasting manner. The other part that’s very important, is training. And what this means is there’s an important concept here to get out of the paradigm that when it comes to cybersecurity compliance doesn’t matter what kind of compliance you’re talking about, especially with CMMC compliance, is this is not an IT or cybersecurity team endeavor, only you need to have the entire organization involved where appropriate. What we found here when we’ve gone through our own self-assessment is that we needed to train up our staff, especially the subject matter experts, the SME’s to understand how to protect and handle controlled unclassified information. They need to understand where that lives and breathes and once you understand that you need to ensure that all the SME’s have documented procedures and they’re trained so that they understand those procedures and they can talk to those procedures. So we go into detail on both of those aspects, in our first newsletter.
LAUREN FRICKLE: Ok, great, thank you so much, Tony. Yes, there’s a lot of information in what he just said, for folks listening instead of scrambling to take notes while listening to this, I invite you to check out our website resources for this information and of course to sign up for the newsletter. OK, switching gears Doctor Thomas Graham our CISO, first welcome to CyberSpin, happy to have you here, outside of your role as Redspin’s CISO, I should note you are also a CMMC Registered Practitioner and a fellow contributor to CMMC-Spin, so I’m wondering if you can give us some input on what our upcoming issue will be on. I understand it will focus on GCC HIGH and VDI. Please tell us what that is and why it matters.
THOMAS GRAHAM: First of all, Lauren, thanks for having me so GCC-H and VDI. Given that we’re working with the Defense Industrial Base, it only stands to reason we’re going to be talking with some acronyms, so GCC-H is Microsoft‘s Cloud version of a secure environment. It’s built on their Azure.
In O365 filed services that are already there, however, it adds some additional context. Context contexts are the individualized versions specifically approved to be utilized with government information and DoD information. There are several versions of GCC-H, but the GCC high is the version that is applicable for CMMC and the reason why we went with that was that it enabled us to utilize true VDI infrastructure. VDI stands for Virtual Desktop Infrastructure and the reason we went that way is that now with using the VDI when you log into a physical system, you now have an additional layer of security there that if that system gets lost, the malicious actor that took the system they’re not going to be able to get into the secure enclave If you will. The reason being is that once you log into the VDI, you still have to utilize MFA credentials as well as a couple of other mechanisms before you can even access the GCC high environment which, if configured correctly, can only be accessed from that virtual desktop. utilizing that kind of helped us overcome some hurdles with the new CMMC requirements that contractors are being placed under. Primarily with the security of the data with utilizing the virtual pieces that we did, we were able to carve out an enclave that only allows what is absolutely necessary for and out of it. This provides the ability to correctly show the explicit deny-all that most security professionals look for when they’re looking at network restrictions. Where you allow by exception and deny by default. It was very easy to put this in place and show that the entryways and exit ways were only limited to what was absolutely, positively, no doubt necessary. Now, will that cause some contention? Absolutely, personally, I was a little offended I couldn’t check ESPN when I was working from day to day, but it allowed us to again make it truly secure and only talk about the enclave and how we’re going to configure it. It enabled us To look at more processes and procedures dedicated directly to it without impacting day-to-day operations outside of CMMC that our own employees and customers already looked to us and already depend upon us to perform.
LAUREN FRICKLE: OK, thank you so much, Thomas. I now know what GCC high in VDI is. Thank you so much for your efforts and for your contribution to this newsletter.
We are out of time for today. As Jeremy said earlier, to sign up for CMMC-Spin, simply navigate to Redspin.com and click the CMMC services tab. I will also be linking the form in the description of this podcast episode, remember to like and subscribe and leave your comments on this podcast. Thank you very much for listening.