ITSPmagazine Podcast artwork

Now, More Than Ever: Supply Chain Security—Unpacking The CMMC With Katie Arrington And Yolanda Craig

ITSPmagazine Podcast

English - December 20, 2020 16:00 - 47 minutes - 43.2 MB - ★★★★★ - 15 ratings
Technology education internet business computers digital transformation future technology innovation science hacking Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: A Conversation With Farah Hawa | The Uncommon Journey | Episode Seventeen | With Alyssa Miller, Chloe Messdaghi, And Phillip Wylie
Next Episode: We Aimlessly Continue The Sprawl Of Our Digital Lives — Who Is Responsible For Managing The Mess? | An Imperva Story With Kunal Anand

It should be evident by now that Information security should be a core value to any organization—and even more so for those that interact with government entities—and furthermore for those that operate within the government defense space.

It's easy to say. But even for those that want to honestly act on this objective, how can they make "this" actually happen?

Good question indeed. This is precisely the one we are going to try to answer in this podcast.

Organizations can meet the letter of the law, or regulation, or standard. Checkbox process—done.

They can bring it to the front of the process and perform a risk assessment. Scenario documentation—done.

But what about the middle bit where a lot of the critical thinking takes place and where the controls get defined; where the organization not only claims they "take security seriously" but can also prove it?

How does an organization bridge this gap in a way that actually addresses the risk throughout the government's entire supply chain?

This is where the Cybersecurity Maturity Model Certification (CMMC) comes into play. And looking at the most recent events, evidently, not a moment too soon.

Now it is the time to go ahead and learn what the CMMC is.

From the CMMC site:
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

OUSD(A&S), working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry, developed the Cybersecurity Maturity Model Certification (CMMC) framework.

The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level.

This text above provides a decent overview. But you likely have some questions. If you want to learn more about CMMC, DFARS, C3PAOs, and DIB; and, if you want to hear how CMMC and NIST connect together; and, if you want to hear how the CMMC can be leveraged to improve (and demonstrate) your organization's cybersecurity posture, then this episode is for you.

I had the distinct honor of bringing together two industry leaders that know the CMMC inside and out: Katie Arrington, CISO A&S at United States Department of Defense responsible for bringing the CMMC to light; and Yolanda Craig, a former manager of Cyber Information Technology) at the US DoD and now helping government contractors be cyber-ready.

This happens to be a very timely discussion given the recent cyber revelations for the American government supply chain. I would encourage EVERY organization (not just those supplying the government with products and services) to listen to this episode.

Now, more than ever, we need supply chain security. Now, more than ever, knowledge is power. Grab some here and share with far and wide.

Guest(s)
Katie Arrington, CISO A&S at United States Department of Defense

Yolanda Craig, VP, Cyber Strategy, Everwatch Solutions | Former Manager (Cyber Information Technology), US DoD

This Episode’s Sponsors:

Nintex: https://itspm.ag/itspntweb

Imperva: https://itspm.ag/imperva277117988

RSA Security: https://itspm.ag/itsprsaweb

Resources
CMMC: https://www.acq.osd.mil/cmmc/index.html

CMMC Accreditation Body: https://www.cmmcab.org/

CMMC Assessment Guide: https://www.acq.osd.mil/cmmc/draft.html

To see and hear more Redefining Security content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-security

Are you interested in sponsoring an ITSPmagazine Channel?
https://www.itspmagazine.com/podcast-series-sponsorships