Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

CMMC Cybersecurity and Compliance - October 2020 - In this episode, Craig Petronella answers questions about CMMC, NIST, DFARS and how these standards may influence HIPAA, SOC 2 Type II, and other regulations.

October 08, 2020 Craig Petronella Season 1 Episode 1
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
CMMC Cybersecurity and Compliance - October 2020 - In this episode, Craig Petronella answers questions about CMMC, NIST, DFARS and how these standards may influence HIPAA, SOC 2 Type II, and other regulations.
Cybersecurity with Craig Petronella - CMMC, NIST
Help us continue making great content for listeners everywhere.
Starting at $3/month
Support
Show Notes Transcript

Your host, Craig Petronella, #1 Best-Selling Amazon Author of multiple books, including Ultimate Guide to CMMC: How To Access Millions In Government Contracts, How HIPAA Can Crush Your Medical Practice and more. Craig is MIT Certified in AI, Blockchain and an IT Cyber Security Expert that founded Petronella Cybersecurity and Digital Forensics is frequently on ABC, CBS, and FOX news discusses the Cybersecurity Maturity Model Certification (CMMC) and how it may affect other regulations like HIPAA, SOC 2 Type II and others.

Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Announcer:

You're listening to cybersecurity and compliance with Craig Petronella. Visit us online at Petronellatech.com.

Craig Petronella:

Hey, Jamal. How's it going?

Jamal:

Not too bad. About yourself, Craig?

Craig Petronella:

Well, I'm pretty good.

Jamal:

Good.

Craig Petronella:

Have you, guys, got any deeper in the CMMC space?

Jamal:

Not right now; we've been primarily just focusing on improving the solution itself. Adding new functionality, we're thinking we're going to help users log into local applications using gatekeeper, focusing on improving our passive manager to capture password changes and make that more seamless for end-users when changing passwords.

Craig Petronella:

Okay, that's cool. I think there's going to be a big opportunity for you in the CMMC space, though.

Jamal:

Okay.

Craig Petronella:

I just passed the test from the accreditation body last Friday.

Jamal:

Oh, congratulations. That means you can start auditing people and start recommending solutions that fit the CMMC.

Craig Petronella:

We did the registered practitioner organization, and I'm the first registered practitioner who passed all 12 tests. And then I'm going to have Jonathan, Blake, and BJ go through the registered practitioner because that aligns best with our consulting and services that we're already providing to folks. They do allow you to do assessments, but you can't do both sides. So if we consult with a client, we can also do their assessment. We would have to recommend a different certified third-party assessor. I don't know if I'm going to go that route or not. Because there will be larger companies that already have their internal staff is working on things that we would provide consulting with. So there will be a need for assessors, but I don't know. I got to think about it some more. I don't know if that's a direction that we also want to go in. Once you perform one side of the other, you can't go to the other side. Do you know what I mean? I feel like it's more opportunities on the consulting side.

Jamal:

I can see that. Sometimes I think people are afraid to talk to auditors too often.

Craig Petronella:

Not only for that reason. I think that there's such a lack of cyber safety. A lot of these defense contractors are supposed to be already compliant with NIST 800-171. At least the folks I talked to are not even close. I think that there's just so much work in that area of jobs to be done. Just to get them ready and prepared for that audit. And I feel that's where we would shine for my company. Plus, the other cool thing is, we can do that work anywhere in the country. It opens up a lot of opportunities for us nationally. Whereas if we do the assessor side, once we go that path with a particular organization, we can't do the other side, you know what I mean? Like the penetration testing, the security risk assessments, all the stuff that we are experts at now, we wouldn't be able to do any of that. The only thing that we would be allowed to do under the ethics and Code of Conduct would be assessing their maturity level that they're after with the CMMC.

Jamal:

So that is pretty limiting.

Craig Petronella:

Yeah, it's very limiting. And from a business perspective, I feel that the world in the country is just so lacking in cyber safety. There's just so much more of an opportunity on the consulting side, in the preparation side, and then we'll just partner with other companies. That's almost like a staffing role, a step into like a staffing company might take over and get lead assessor certified.

Jamal:

Yeah.

Craig Petronella:

But your solution falls into play with a lot of the mandates and in regards to controlling access. There will be certain controls that you can look at in the CMMC PDF that you can try to solve with your solution.

Jamal:

Yeah. Do software vendors also need to receive a certain accreditation to say that they can assist with compliance. Just curious, what is the route?

Craig Petronella:

That's a good, good question; go to CMMCAB.org.

Jamal:

Okay.

Craig Petronella:

I think you need to get on, or it would be advantageous for you to get on licensed software providers.

Jamal:

Yep. I see it says coming soon.

Craig Petronella:

Yeah, but you might want to stay in close tune with that.

Jamal:

Okay.

Craig Petronella:

I think that's going to be huge for you guys. Once you get onto the marketplace, all the people in the ecosystem need your solution and my solutions. So it's going to be very important from a growth perspective to be there. Okay, I agree. Let me take a deep dive into this later on this afternoon and see exactly maybe where we can accelerate a few things. It looks like Elisa is going to join here. Hey, good morning.

Elisa:

Good morning.

Craig Petronella:

How are you today?

Elisa:

Good. How are you doing?

Craig Petronella:

Pretty good. It's a nice day outside. See a lot of Saddam happy.

Elisa:

Yes, that always makes it nicer.

Craig Petronella:

Absolutely. Thanks for joining.

Elisa:

Happy to be here. I don't have any immediate questions. I was mostly just coming in to listen to everyone else.

Craig Petronella:

Okay, that's fine. It is just kind of an open opportunity to ask any questions or just listen. If nobody asked questions, I'd just rant on some of the newest things out there. One of the hot topics, like I was talking to Jamil about, is the CMMC or Cybersecurity Maturity Model Certification that the DoD was recently released on the 31st of January. Are you familiar with that?

Elisa:

A little bit. That's a little bit out of my general practice area. But I at least have a passing familiarity with what's happening.

Craig Petronella:

Okay. That's fine. I do think it's going to affect other organizations. I think that it will probably bleed into more common standards like SOC two, type two, or ISO. Most of those things are derived from NIST. Anyway.

Elisa:

Yeah.

Craig Petronella:

It's going to be interesting how things pan out in the future as CMMC bleeds into these other areas, as well. Has the healthcare angle been for you guys this year with all the COVID-19?

Jamal:

It's been slower. A lot of what we've seen is the need to focus on setting up secure remote connections as much as possible. Because a lot of times they're issuing out software and start issuing laptops to people they've never had to before. So yeah, been a bit of slowdown in that area.

Craig Petronella:

Hey, Whitney, good morning.

Whitney:

Hey, Craig. How's it going?

Craig Petronella:

How are you?

Whitney:

Good. Looking forward to it. The topic I'm interested in.

Craig Petronella:

Good. Just going to post the link looks like some people are having trouble finding the links. I wish LinkedIn would open up their LinkedIn live. I applied for it several months ago. But then it goes into this black hole. And then nobody responds. And a friend of mine is an author of a LinkedIn book called LinkedIn for business. He said, You have to apply multiple times if you don't get a response. I just haven't had time to do that. But what's cool about it is if they do approve us that we would be able to post these events without Zoom, we would just do it directly into the platform, which is kind of cool. And then what it does is it notifies all of your connections that were live, so it draws attention to it too. I don't know why they make it so hard to get it.

Whitney:

I think that LinkedIn is a little bit of a bureaucracy.

Craig Petronella:

Yeah, right. Whitney, I was telling Jamal, who is on the line to about some of the CMMC updates. Have you been following that?

Whitney:

No, I haven't.

Craig Petronella:

The CMMC is the Cybersecurity Maturity Model Certification that came out on the 31st of January, mainly directed towards defense contractors and federal defense contractors. And Jamal's solution is called the gatekeeper. And we've recommended this solution in the healthcare market to help with humans and passwords and how bad we all are at remembering passwords and changing them. He's got a cool token technology that solves that control layer. And I was telling him about there's going to be a big opportunity with the Cybersecurity Maturity Model Certification. Because that's the control layer that they require and they mandate. His solution solves a couple of those control layers. I think it's going to be a lot bigger and bleed into other areas, like healthcare and regulated industries. It's such a big overhaul. HIPAA was enacted in 1996 by Bill Clinton, and in look where we are now. If you've ever looked at health care and HIPAA, and the requirements there, it's just so muddy and a gray area. Part of the CMMC is overwhelming. I would think it a bit daunting to those folks that, though they have the maturity level that they should be up, at least it provides some clarity on what they're looking for and what an assessor is looking for. But I think it's going to be a huge shakeup in the supply chain. It's going to be very interesting what happens in the next five to ten years. It looks like Bob's joining.

Whitney:

I'm excited to see how quickly the market reacts and how quickly people begin to switch over and start adopting these new technology's requirements.

Craig Petronella:

That's interesting that you say that. So as far as how quickly that will be determined, I think there's a lot of pressure. And what I mean by that is, the DoD has said that if you don't get and you don't do this, you don't do the CMMC stuff. If you're a defense contractor, you effectively fall off the supply chain.

Whitney:

Oh, yeah, that's pretty good.

Craig Petronella:

You can't fudge it anymore. With NIST 800-171, you are self-attesting. Say you took a contract from the DoD, and you are awarded a $10 million contract. In the detailed terms and conditions, it said that you take this money, you're attesting that you're 800-171 compliant with all 110 security controls, as well as policies and procedures. And most people just signed on the dotted line to take $10 million. When the government found out that all these folks were getting hacked in the supply chain, they started investigating. The government has something called the False Claims Act. So if you take money from the government, and you're awarded that $10 million, and they find that they're not compliant, they can enact the False Claims Act. You could have to pay three times the contract award. In that example, $30 million, plus other fines. It's pretty nasty. And then there is just an Interim announcement from the DoD about folks; they're putting into the DFARS like an assessment process that they want you to submit to the DoD, a while saying that you are compliant with 800-171. For that, that just came out on the 1st of October. And that caused a lot of confusion, with many folks in the defense industry thinking that now they have to show and do a self-assessment and submit it and upload it to the DoD. Panic of organizations that are not compliant or not properly aligned to the just scrambled right. But yesterday, I got clarity that it wasn't the DoD thing to upload the self-assessment. It was that they were incorporating it into the default hours. But it's not doing it like the first reaction was it was doing sixty days from the memo.

Whitney:

Oh, wow.

Craig Petronella:

People are reading and thinking that they have to do this by the 27th of November. So that's where a lot of confusion is at the moment. And we clarified that yesterday. But the other challenging part is there's no one to call at the DoD to get clarity. So they put these things out. And they're very cryptic and hard to read, understand, and follow. The same for the CMMC. And that's also why the DoD passed the baton over to the CMMC accreditation body. They knew that they just needed an organization, a nonprofit, to support the effort, build out the training materials from a central location and the certification tracks, and flesh it all out and make it more mature. I think that's helped with things. But there's also other confusion that I've experienced going through the training myself when I was saying that I just got the training done last Friday. The DoD says in the training that most folks will have to fall into the level one or the basic requirements for CMMC. And I don't agree with that. In training, they also say, if you touch any control, then classified information or created or edited, you need to be a level three or higher. There are just some little hurdles that need to be ironed out.

Whitney:

So they set a date for at least level one or two of CMMC must be completed.

Craig Petronella:

What they're saying at the moment is, in fiscal year 21, there's going to be 15. They're doing a crawl, walk, run approach. And there's going to be about 15 contracts that will have a mandate above 800-171. And also include a requirement at maturity levels, one through five, for the CMMC. They'll release 15 next year. And then the following year it goes up significantly. If I find my sheet machine, I'll tell you. It keeps kind of expanding each year rapidly, but they're doing a slow rollout. But all of the stuff that is not noted as the CMMC level still will have NIST 800-171 on it. So you still need to do the NIST 800-171. Plus, explore what level you want to be at for CMMC, which adds to that foundational component. Does that make sense?

Whitney:

Yeah. From what I remember, I was reading through some of the compliance standards. If you hit everything and missed, that should at least get you probably close to two or three on the maturity model for CMMC, if I'm correct.

Craig Petronella:

No. That gets you closer. Maturity level three has all of the 110 controls for NIST 800-171. But you need an additional 20 controls to get to maturity. They added 20 more on top of the NIST 800-171 for CUI. You're very close if you got 110, and then you got all the policies and procedures. You just need to get the other 20. Okay, I found my sheet machine. So 21 is 15 contracts. 22 is 75. 2023 goes up to 250; then it keeps going up from there almost double. There's a total of 1500 contracts that they're putting out for next year. And you see only a small amount of 15. But the other part says that's 15 is the total number of new prime contracts awarded with the CMMC requirement. They're saying the total number of prime contractors and subcontractors with CMMC requirements. They're saying 899 are in the ecosystem for level one 149 or four, two and 452 are for level three. And then these numbers just skyrocket in the future years. It'll be interesting. I think, Whitney, it's going to affect your industry with the payment card industry.

Whitney:

Yeah, I am not up to speed with any of that stuff. Most of my clients are not as large as far as people and stuff. Yes, of course, it will affect the municipality stuff, probably, that we've got.

Craig Petronella:

I think it's going to overhaul how with your smaller clients that you work with. Most of them are completing what's called a sack or a self-assessment questionnaire for PCI compliance with a line, and they fill the little thing out. What the CMMC has found, and what and why it was released is that the self-assessment process doesn't work very well. So what the government thing or the DoD specifically is saying that you no longer can self attest. You have to go through a third-party certified auditor. An assessor comes on-site to your location and watches over your shoulder to ensure that you have all this stuff you're attesting to at the maturity level you're after. You're not going to get the certification unless you pass all the policies, procedures, security controls, and the woven process into your culture. You can't just fudge this and do it at the last minute and buy all these widgets and say you are compliant now. It doesn't work that way. You have to show it.

Whitney:

That's a big problem for most. About half of our guys don't even certify themselves. It just never gets done. Some companies charge a fee. If you don't do it, we don't do it. I've thought what needs to happen is that the IT companies provide this service to come in, do all this stuff for them and get the headache out there.

Craig Petronella:

Yeah, the problem is people don't want to pay for it.

Whitney:

Yeah. If you have like anything else, that's another thing, you know?

Craig Petronella:

That's kind of where I'm going with the government's said, Look, if you don't do this, you fall off the supply chain. So what I'm saying is, who knows, the credit card companies might say that they want to reduce our claims and disputes in the future. So if you don't do this, you're not going to be able to take a credit card.

Whitney:

Todd told me the associations are going to step in and lay the Iron Fist down on this.

Craig Petronella:

That's kind of what I'm getting at and why I think that the CMMC will bleed into other industries. Many folks, especially small businesses, are using a third-party processor, like authorize net or something. But they still have responsibilities because they're in front of the credit card, or they could see the card number. If they're exposed to it, it's still confidential information that they need to have policy procedures around and controls around. You can't have an employee writing it on a sticky note or trying to record it or memorize it in some other means. And that's a fraud. And that's the whole point of these regs to try to help limit that.

Whitney:

How often do you run into companies storing their credit card numbers on spreadsheets and stuff like that?

Craig Petronella:

I've seen it before. I can't say how often because it's just not something that we do quite often unless we're hired to do some type of assessment like that, which is pretty seldom, especially on a small company like that. Most of the smaller companies don't want to do it at all. It's just like the HIPAA regs too. It's like pulling teeth to educate most small companies that they need to be compliant with HIPAA. And they don't want to do it. You tell them all the stuff that they're supposed to be doing. And then you show them the real words, real-world statistics on people who are getting these fines from the Office of Civil Rights and don't care. So you kind of throw your hands up. Again, CMMC should bleed into HIPAA regs. And I think that you should have to go through an assessment. You to practice a medical office should have somebody come on to the premises and validate the policies, procedures, and controls. And I don't think you should be able to practice unless you pass that assessment. Now that's a very political and bold move. But my point is that that's the only way that stuff will get done because people are just going to dismiss it.

Whitney:

Right. With medical facilities, they've got a budget to pay for something like that.

Craig Petronella:

Yeah, not the smaller ones.

Whitney:

I don't know, maybe like chiropractor places and stuff.

Craig Petronella:

Even small general practitioners don't have the number one. If I educate them and show them factual information from third-party sources that say this is the law, this is what you need to be doing. There are 18 plus policies and procedures. You need to map the policies and procedures to what's called security control layers. And they just kind of glaze over. They're like, I've never been taught this stuff in medical school. My point is that those smaller organizations can't afford a compliance officer. They can't afford that roll-up.

Whitney:

Yeah.

Craig Petronella:

But my point is that the smaller organizations, and smaller businesses that are either business associates or covered entities, are all stereotypically speaking. They are mostly non-compliant. And that's why you see on the news all the time where XYZ companies got dinged for $750,000. You know, somebody left a laptop in the car that got stolen, and I write about all this stuff in the books. These things happen because these folks have no idea what they're supposed to be doing. And they don't want to pay for it to get it done. Because it's expensive. And it's, especially when you have nothing in place, it's expensive to put all that stuff in place.

Whitney:

Yeah.

Craig Petronella:

There's no easy button for it, unfortunately, because even if you hire a provider, and you do like the hosting route, that's fine. And that will accelerate the cadence of compliance with a lot of things. As the practice owner, you still have responsibilities of things you need to do, and you need to customize it. You can't use boilerplate templates that you get for free online. You have to read them and customize them to your organization. And there are physical controls, too. If you have a building, and you have to have keycard access, for example, and you have to log that stuff, and if you've got a firewall, you have to store those logs. And you have to have somebody that's watching the logs for intrusions and threats. And all this stuff is very expensive.

Whitney:

I was just talking about this with someone else. You got to have employee training.

Craig Petronella:

Yeah, that's called security awareness training. And that's a mandate for CMMC. And you have to prove it. My point is in the HIPAA world, since that law was enacted so long ago, training is a good idea. And the human elements, the weakest point, in any equation, you could have all the technology you want. But if you, people, are clicking on stuff, and getting social engineer, then you're going to get hacked, and you're going to have a breach. I think training at a monthly level, the video-based online type training is great. Above the training testing, I think testing is super important to be regularly doing.

Whitney:

All right.

Craig Petronella:

That stuff should be 101 stuff nowadays.

Whitney:

Most of the companies I'm dealing with in the municipalities are real large places. They really should be doing it. I talk about small business owners; they're not going to do that kind of stuff. You talk about the government, things like the small municipalities I handle. That's probably somewhere where you could get that kind of stuff put in? It's about staying compliant and all this kind of stuff.

Craig Petronella:

Yeah. What's happening now in the cyber in the forensic side of things is the folks go out of business if they don't have insurance. Firstly, a lot of them don't have insurance. Secondly, if they do have some type of blanket insurance, it's too low. It's only like $50,000. It doesn't cover how expensive it is to do a forensic analysis.

Whitney:

Yeah, we offer$100,000. But for a big company that's doing many transactions and stuff like that, they have a major compromise. That's just really not going to cover that much. I can't remember what the fee is. I think there's a$50,000 base right off the get-go. And then I might be wrong about that. But it's something up there like that. And then it's like $1,000 for every credit card number or something like that.

Craig Petronella:

Right. There's also in the terms and conditions of the insurance case a lot of areas where they disqualify payouts. So if you're not doing anything, for example, and you can't show proof of a security risk assessment and contest and training, if you have nothing, they may not pay the claim at all.

Whitney:

Yeah, I know that. And most of the legal fees are over $50,000 for a breach. And if it's something that affects multiple states' regulations, their state Breach Notification laws. There's also if you're subject to GDPR, then that makes it skyrocket through the roof. There's all this stuff. And I think there's going to be a lot of pressure for insurance companies and the kind of follow. That's why I think that the CMMC is going to bleed into insurance and other areas. Because if you think about it, if the insurance companies do something along the lines of the CMMC, they're not going to be paying out a lot of claims, or as many claims, when you have people that are getting third-party audits done every year to prove that they're doing all this stuff. It's going to go down. Yeah, it's a brave new world.

Craig Petronella:

We're getting up on the half-hour already. Does anybody have any questions?

Whitney:

No, I'll just say this. Craig, I'm interested in keeping up on all this type of stuff. Any way you can send out updates on what's going on with this kind of stuff is of interest to me.

Craig Petronella:

Yeah, make sure you're on our newsletter. We do updates every month, and then we do these events. I don't know if I'm on your newsletter.

Whitney:

If I haven't been looking at I'm going to be looking at it now.

Craig Petronella:

We post a lot of stuff in the newsletter, and then we also have these events weekly for education. And I'm not pushing or selling anything on these things. It's purely education and an opportunity to ask questions to learn about keeping up to date. If my clients or my tribe needs something, I'm always here to help them.

Whitney:

I've picked up on LinkedIn at this meeting. How is it generally get pushed out on your newsletter?

Craig Petronella:

It's usually through LinkedIn that we push out the events.

Whitney:

Okay.

Craig Petronella:

Yeah. But if you're on the newsletter, we will be promoting the events as well.

Whitney:

Okay.

Craig Petronella:

If you follow my company, and you'll be in tune as you log into LinkedIn, it'll update you. That's just another area that it updates you.

Whitney:

Okay.

Craig Petronella:

I put the link to the newsletter in the chat. You can click and sign up on that. If any Interim updates come out, we always do a blast about it. Like we did one yesterday on the CMMC Interim Rule that was released by the DoD. If there were any changes in PCI or HIPAA, or ISO or SOC, or any other areas, we update on those accordingly, as well. But I like to do these in a week, quick. Thirty minutes to update everybody. If anybody's got questions, answer their questions, and just be a helpful resource.

Elisa:

I appreciate your time today, Craig. That was very helpful.

Craig Petronella:

My pleasure. Thanks for joining. Stay in tune. And if you can join them, do it, whatever your schedule permits, and there's always something new coming out each week.

Elisa:

Absolutely, yes, in this space, it's always changing.

Craig Petronella:

That's right. Awesome. Have a great day, everybody. Thank you for joining.

Whitney:

Thank you.

Jamal:

Thanks, Craig, it was good.

Craig Petronella:

Absolutely. Take care. Thanks for that.

Announcer:

Thanks for listening to yet another episode of cybersecurity and compliance with Craig Petronella. Listen to all of our podcasts on Apple, Google, and Spotify. Visit us online at Petronellatech.com to book a meeting with Craig about your business.