It’s been a long and wild ride on this #cmmc ship! ⛵

In this episode, I speak with Stacy Bostjanick who is the Director of the CMMC program at DoD CIO!

Here are some highlights from the episode:

• Expectations for the initial phase in of CMMC
• Who determines CMMC levels for contracts?
• How will CMMC waivers work?
• Criteria for CMMC level 2 self-assessments and CMMC level 3
• Early use of NIST 800-171 r3
• And so much more!

First mentioned in 2019, CMMC 1.0 was released in 2020 under the Trump administration.

CMMC 1.0 was reviewed during the Biden administration, they released CMMC 2.0 in late 2021, and then… There was a great silence.

If you threw a small rock, you’d hit ten people who thought CMMC was going away.

All this time though, the DoD was quietly marching on.

They released the proposed CMMC program rule in December 2023 and released the final CMMC program rule in October 2024 - which is now EFFECTIVE.

After all of that, CMMC will FINALLY begin to phase into DoD solicitations and contracts by this summer.

CMMC has been a LONG time coming, and it was an honor to hear the back story and why certain decisions were made!

What were your biggest takeaways? Let me know in the comments!

Follow Stacy on LinkedIn: https://www.linkedin.com/in/stacy-bostjanick-a3b67173/

DoD CIO CMMC website: https://dodcio.defense.gov/CMMC/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e43&utm_campaign=courses

#cmmc #nist #cybersecurity

Your MSP could be a CMMC disaster. 💥💣💥

I wish I was joking.

In this episode I speak with Joy Beland about the critical role IT Managed Service Providers (MSPs) play in the CMMC space and why so many of them will cause their clients to fail their CMMC assessments.

Here are some of the highlights:

• The NEW critical CMMC requirement for MSPs
• Why so many MSPs will cause their clients to fail CMMC assessments
• Why MSPs SHOULD still get CMMC certified
• Questions to ask your MSP to gauge their CMMC readiness

Joy is the Vice President of Cybersecurity Compliance at Summit 7 and brings over 20 years of experience as a former MSP owner. Summit 7 is a specialized MSP exclusively supporting defense contractors.

If you use an MSP, don't just assume that everything is OK and your MSP has it all covered.

It's highly likely that they do NOT and you'll FAIL your CMMC assessment because of them.

There are some great CMMC-focused MSPs out there, but the majority of MSPs have NO BUSINESS supporting defense contractors.

Choose wisely!

What stood out most to you? Whatever your thoughts are, feel free to let me know in the comments!

Follow Joy on LinkedIn: https://www.linkedin.com/in/joy-belinda-beland/

Summit 7 website: https://www.summit7.us/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e42&utm_campaign=courses

Should you NEVER pay after a ransomware attack?

In this episode I speak with Frank Riccardi about cybersecurity in healthcare and the event that triggered much more cyber accountability for the C-suite.

Here are some of the highlights:

• Why healthcare workers are prone to social engineering attacks
• Reasons you SHOULD and should NOT pay after ransomware attacks
• Managing shadow IT after acquisitions/mergers
• Why every member of the C-suite must understand cyber
• The importance of a culture of reporting

Frank is a former C-level executive with 25 years of experience developing compliance and privacy programs for large healthcare systems comprised of hospitals, physician practice groups, urgent care centers, and other healthcare organizations.

I really enjoyed Frank's description of shadow IT! I always thought of an employee who is using an unauthorized application, but I never thought of it from the standpoint of an acquisition/merger.

What stood out most to you? Whatever your thoughts are, feel free to let me know in the comments!

Follow Frank on LinkedIn: https://www.linkedin.com/in/frank-riccardi-261831b1/

Frank's Book (Mobilizing the C-Suite: Waging War Against Cyberattacks): https://www.amazon.com/Mobilizing-C-Suite-Waging-Against-Cyberattacks/dp/1637424248/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e41&utm_campaign=courses

#cybersecurity #healthcare #hospital #informationtechnology

Should you fire your MSP?!? 🔥🔥🔥

In this episode, I speak with cybersecurity attorney Sarah Anderson about how to evaluate IT Managed Service Providers and how businesses can protect themselves when relying on them.

Here are some of the highlights:

• How you should evaluate MSPs
• What to do after your MSP is hacked
• Managing the cyber incident
• Cyber insurance pitfalls
• Should you fire your hacked MSP?

Sarah is the owner of SWA Law LLC and also serves in U.S. Army Reserves as a Lieutenant Colonel.

She has been involved in more than 100 cyber incident responses throughout her career and also represents public and private entities in regulatory compliance, cybersecurity practices, and technology contract negotiations.

If you are relying on an MSP to manage your IT and security, you won’t want to miss this!

As Sarah said, not all MSPs are created equally. Many MSPs have such poor security practices they WILL get you hacked.

Encourage your MSP to join MSPCyberX! It's a nonprofit focused on elevating the security of MSPs: https://www.mspcyberx.com/

Follow Sarah on LinkedIn: https://www.linkedin.com/in/sarah-anderson-lacyberlawblog123/

Legally Cyber website: https://www.legallycyber.com/

Sarah's cybersecurity course for lawyers: https://courses.sprouteducation.com/item/cybersecurity-basics-lawyers-653403

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e40&utm_campaign=courses

#msp #informationtechnology #cybersecurity #cmmc

SOC 2 isn't the only SOC out there! 🧦

In this episode Cera Adams breaks down these SOC reports and what to expect in a SOC audit!

Here are a few highlights from this episode:

• Why CPAs are involved
• What SOC 1 / SOC 2 / SOC 3 reports mean to providers and consumers
• Difference between SOC 2 Type 1 and Type 2 reports
• How SOC scoping and audits work
• SOC consulting/audit independence requirements

Cera is the Director of IT Assurance Services and leads OCD Tech's SOC 2 and IT Audit Practices. She has more than 20 years of experience in information security!

I've spent most of my career working in the NIST cybersecurity space, so this was very interesting to me!

I thought that the SOC 3 report was interesting, especially since many other frameworks don't have an equivalent.

What were your takeaways? What is your best SOC pun? Let me know in the comments!

Follow Cera on LinkedIn: https://www.linkedin.com/in/ceraadams/

OCD Tech Website: https://ocd-tech.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e39&utm_campaign=courses

#soc2 #cybersecurity #informationsecurity

Do you use Android at work, but don't really understand it?

In this episode Hahna Kane Latonick teaches an Android cybersecurity masterclass for cyber GRC teams:

Here are a few highlights from this episode:

• How the Android project is managed
• How Android devices are compromised
• The many steps to update Android devices
• Most important steps to secure Android devices
• Is Apple more secure than Android?

Hahna is the Director of Security Research at Dark Wolf Solutions. Some of her focuses include Android reverse engineering and exploit development. She has been featured on national media outlets including Fox Business News, ABC News, and many others!

Too often companies integrate mobile devices at work without truly understanding how they work and the risks involved.

Hahna explained these concepts so well! And of course, we had some back and forth on what is more secure, Android or Apple.

I really enjoyed this episode and learned more about Android myself! What were your takeaways?

Follow Hahna on LinkedIn: https://www.linkedin.com/in/hahnakane/

Dark Wolf Solutions Website: https://darkwolfsolutions.com/

Android Security Research Playbook: https://asrp.darkwolf.io/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e38&utm_campaign=courses

#android #cybersecurity #informationsecurity

Introducing the Penn State Whistleblower.

In this episode, the whistleblower explains how he tried to stop Penn State from misrepresenting their NIST 800-171 compliance to the DoD and what he has faced since he blew the whistle!

Whistleblower attorney Julie Bracker also shares what the media got wrong in this case and the latest on the Georgia Tech FCA case!

Here are a few highlights from this episode:

- Hear directly from the whistleblower in this False Claims Act case

- What the media got wrong

- Recommendations to universities

- Advice for other whistleblowers

Matthew Decker was the Chief Information Officer at the Applied Research Laboratory at Penn State from 2015 until 2023 and the interim Vice Provost and CIO responsible for all of Penn State from January 2016 until September 2016. Matthew currently serves as the Chief Data and Information Officer at NASA’s Jet Propulsion Laboratory since 2023.

It was fascinating to learn that the university assumed compliance with their own AD95 security policy meant they were automatically compliant (at least to some measure) with NIST 800-171. This is a great reminder that the details always matter!

Special thanks to Matt for sharing his story with us, and to Julie Bracker for coordinating this interview!

Follow Julie on LinkedIn: https://www.linkedin.com/in/juliekeetonbracker/

Bracker & Marcus LLC Website: https://www.fcacounsel.com/

Connect with Matt on LinkedIn: https://www.linkedin.com/in/matt-decker-cio/

Whistleblower's Handbook: https://www.amazon.com/New-Whistleblowers-Handbook-Step-Step/dp/1493028812/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e37&utm_campaign=courses

#whistleblower #cmmc #cybersecurity

Confused about Microsoft 365 and DFARS/CMMC compliance?

In this episode, I speak with Richard Wakeman, Chief Architect for cybersecurity of Aerospace & Defense @ Microsoft!

We discuss the history of the government clouds, the need behind GCC and GCC High, and much more!

Here are some highlights:

• The origins of the Microsoft clouds
• Which clouds support DFARS 7012 compliance
• When will GCC High be FedRAMP authorized?
• CUI enclave considerations

Richard is a wealth of knowledge, and I have personally benefited from his compliance blog articles since at least 2020!

If you are currently operating in the Microsoft cloud or are trying to decide which Microsoft cloud to buy, you won't want to miss this!

Were you aware that GCC High isn't FedRAMP authorized yet? What about Microsoft 365 commercial not being compliant with DFARS 7012?

Whatever your thoughts are, let me know!

Follow Richard on LinkedIn: https://www.linkedin.com/in/wakeman/

Microsoft Cloud compliance article: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-dod-amp/ba-p/4225436

Microsoft 365 Roadmap: https://www.microsoft.com/en-us/microsoft-365/roadmap

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Experience questionnaire automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e36&utm_campaign=courses