GRC Academy – Détails, épisodes et analyse

Zero Trust is NOT complicated!

Don't believe me? Let me introduce you to its creator!

In this episode, Jacob speaks with John Kindervag, the creator of Zero Trust.

John is the Chief Evangelist at Illumio where he accelerates awareness and adoption of Zero Trust Segmentation.

In the episode he shares the origin story of Zero Trust starting with his time at Forrester Research. He explains the fundamental principles of Zero Trust, debunks common misconceptions, and how you can implement Zero Trust using a 5-step model.

Here are a few highlights from this episode:

• The broken trust model that has allowed the largest data breaches
• Defining Zero Trust and misconceptions about it
• How to implement zero trust in 5 steps
• "Things Run Amok" poem - if Dr. Seuss wrote about the Internet of Things

John's elevator pitch for Zero Trust is a masterclass in itself.

If you want to convince business leaders to invest in cybersecurity, you have to focus on how that investment will benefit the business. John does exactly that here and we should all take note.

Illumio is a Zero Trust Segmentation company that prevents breaches and ransomware from spreading across hybrid environments. Their platform visualizes traffic flows, automatically sets granular segmentation policies, and isolates critical assets and compromised systems. Founded in 2013, Illumio protects organizations of all sizes, from Fortune 100 to small businesses.

Follow John on LinkedIn: https://www.linkedin.com/in/john-kindervag-40572b1/

Illumio Website: https://www.illumio.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e30&utm_campaign=courses

Introducing the Cisco Whistleblower.

In this episode, Jacob speaks with lawyer Hamsa Mahendranathan about the FIRST cybersecurity False Claims Act (FCA) lawsuit that reached a settlement!

This goes all the way back to 2008 believe it or not… The lawsuit was FINALLY settled in 2019!

As we all know, the DoJ has intervened in the Georgia Tech NIST 800-171 FCA whistleblower complaint.

Wonder what the whistleblowers may be dealing with? Maybe you want to blow the whistle yourself and don't know what to expect?

Here are a few highlights from this episode:

• How Hamsa's client unwittingly became a whistleblower
• The fallout he experienced for doing the right thing
• Mitigations for career consequences of blowing the whistle
• The complexity of working with federal, state, and local False Claim Act laws

And so much more!

If you are interested in the False Claims Act and cyber compliance, you won't want to miss this one! This episode is truly one for the history books!

Read the whistleblower complaint: https://cdn.grcacademy.io/web/20240824091900/us-ex-rel-glenn-vs-cisco-fca-complaint.pdf

Follow Hamsa on LinkedIn: https://www.linkedin.com/in/hamsa-mahendranathan/

Whistleblower Partners Website: https://www.whistleblower.law/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e29&utm_campaign=courses

In this episode, Jacob speaks with a panel of information security experts from universities about CMMC and their experience preparing for it!

They discuss security and compliance challenges at universities, the Penn State NIST 800-171 False Claims Act lawsuit, and much more!

Here are some highlights from the episode:

• How universities are different from other types of organizations
• Different compliance requirements for universities
• Who is involved in the execution of a government contract?
• The drivers of cybersecurity compliance at universities
• Thoughts on the Penn State False Claims Act lawsuit
• How to drive positive cybersecurity change at a university
• CUI enclaves at universities
• Areas of CMMC that need clarification

Here are the panelists:

• Jay Gallman - Duke University (https://www.linkedin.com/in/jay-gallman/)
• Kolin Hodgson - Notre Dame (https://www.linkedin.com/in/kolin-hodgson-cisa-cissp-4bbb9a/)
• Melissa Kimble - University of Maine (https://www.linkedin.com/in/melissa-kimble/)
• Wendy Epley - University of Arizona (https://www.linkedin.com/in/wendyepley/)

Thanks to our sponsor Keeper Security!

Need a secure file sharing solution? Register for a webinar showing how Defense Contractors can share sensitive information using Keeper: https://grcacademy.io/ref/keeper/webinar-cmmc-file-sharing-april-2024/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e20&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob talks to Dr. Raghuram Srinivas from MetricStream!

They discuss the beginnings of AI, how it has evolved over time, and the risks and opportunities it presents to companies around the world!

Raghuram is the Senior Vice President of Product Management at MetricStream. He is an AI expert and has worked in AI-focused roles at JPM Chase, KPMG, as well as the Watson Group at IBM.

Here are some highlights from the episode:

• The history of AI
• How do large language models (LLMs) work?
• AI for GRC & GRC for AI
• Using AI in cyber operations
• The future of cyber risk

Follow Ragu on LinkedIn: https://www.linkedin.com/in/raghuramsrinivas/

MetricStream website: https://www.metricstream.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online cyber GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e19&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob talks to Patrick Perry from Zscaler. They discuss Zscaler's experiences navigating the FedRAMP and DoD Impact Level processes as well as Zero Trust!

Pat is a cybersecurity expert with over 20 years of experience. He currently works at Zscaler as Field CTO and is responsible for the alignment of Zscaler capabilities to the DoD and IC mission sets in order to provide dynamic, mission-focused, innovative approaches to enable transformation and zero trust to warfighter organizations.

Zscaler U.S. Government Solutions enables the U.S government and their strategic partners to securely transform their networks and applications for a mobile and cloud-first world. Zscaler's FedRAMP Moderate/High/DoD IL5-authorized solutions ensure fast, secure connections between users and applications, regardless of device, location, or network.

Here are some highlights from the episode:

• Zscaler's Approach to FedRAMP, DoD Impact Levels, and CMMC
• Shared Responsibility Between Cloud Service Providers and Users
• What Zero Trust is and how it relates to CMMC
• Zero Trust Pillars
• Thoughts on Federal Approach to Zero Trust

Follow Patrick on LinkedIn: https://www.linkedin.com/in/perrypn2019/

Zscaler website: https://www.zscaler.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e18&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Derrich Phillips from Aspire Cyber about best practices and tips when filling out cybersecurity questionnaires.

Derrich Phillips is a cybersecurity expert with over 20 years of experience in the field. He started his career in the Army's security operations center, defending networks against cyber attacks. As the founder of Aspire Cyber, he focuses on helping small companies prove their cybersecurity readiness to handle information for enterprise customers.

Here are some highlights from the episode:

• How Derrich get into cybersecurity
• The what and why of security questionnaires
• How to save time and money while filling out a security questionnaires
• When to push back on overly burdensome requirements

Check out this video where Derrich and I discuss how ChatGPT can be used in information security compliance: https://youtu.be/IAAJPJLBeaY

Follow Derrich on LinkedIn: https://www.linkedin.com/in/derrichphillips/

Aspire Cyber website: https://www.aspirecyber.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e17&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Shauna Weatherly from FedSubK.com.

Shauna recently retired from the federal government after serving more than 35 years in the federal acquisition / contracting space! During her career she served as chief of contracting, contracting officer representative, and as an advisor to the Civilian Agency Acquisition Council (CAAC).

She even has direct experience in the federal rulemaking process, and contributed to FAR case 2017-016, also known as the FAR CUI rule, which will contractually require the implementation of NIST SP 800-171 on federal contracts.

Join us as we pull back the curtain on the federal rulemaking process and more!

Here are some highlights from the episode:

• Shauna’s background
• Steps and roles involved in the federal rulemaking process
• What is a FAR case?
• What is OIRA’s role?
• The relationship between the FAR and DFARS
• How to provide effective public comments on regulations
• Impacts of FAR case 2017-16 - CUI rule
• Impacts of FAR case 2021-17 - Cyber Threat and Incident Reporting and Information Sharing regulation
• Impacts of FAR case 2021-019 - Standardizing Cybersecurity Requirements for Unclassified Information Systems

Follow Shauna on LinkedIn: https://www.linkedin.com/in/shauna-weatherly/

FedSubK website: https://www.fedsubk.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e16&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Michael Greenman from Deltek.

Michael has worked in government and cloud-based technology for over 20 years, and currently works at Deltek in the Product Strategy group and is the evangelist for cybersecurity compliance and cloud services!

Michael shares Deltek's perspective on security and compliance as a cloud service provider.

Here are some highlights from the episode:

• How Michael got into cybersecurity
• Deltek's government clouds
• DFARS 252.204-7012's C - G incident reporting requirements
• How cloud providers can demonstrate FedRAMP moderate equivalency
• What is a shared responsibility matrix
• The need for a defense focused CSP / ESP / MSP marketplace

Follow Michael on LinkedIn: https://www.linkedin.com/in/michael-greenman-94952a3/

Deltek website: https://www.deltek.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e15&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Dr. Thomas Graham who is a CMMC assessor.

Thomas is the Vice President and CISO at Redspin, and Redspin is the first CMMC Third Party Assessor Organization (C3PAO)!

This episode has a lot of great information for the defense industrial base!Here are some highlights from the episode:

• Redspins' experience becoming the first C3PAO
• Notable changes in NIST 800-171 r3
• CMMC challenges and misconceptions
• Tips for selecting the right CMMC consultant and assessor
• Other countries interested in CMMC
• Each phase of the CMMC assessment process
• What CMMC practices can be POA&M'd according to current guidance
• And more!

Follow Thomas on LinkedIn: https://www.linkedin.com/in/tgrahamphd/

Redspin website: https://www.redspin.com

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e14&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob Hill talks with Jacob Horne from Summit 7!

Jacob Horne is Summit 7's Chief Security Evangelist, and has a unique genetic superpower that allows him to delve into NIST publications & government regulations without experiencing even a hint of boredom!

In the episode Jacob Horne explains the history leading up to the CMMC program, when CMMC may be required, and the significance of the FAR CUI rule!

Here are some key topics we discussed:

• How he started in cybersecurity
• The history leading up to CMMC
• What is rulemaking
• The two CMMC rules we are waiting on
• When CMMC may appear in contracts
• The FAR CUI rule and its importance
• Why DHS and VA regulations were silent on NIST 800-171
• When will the FAR CUI rule drop?

Follow Jacob on LinkedIn: https://www.linkedin.com/in/jacob-evan-horne/

Summit 7 website: https://www.summit7.us/

Jacob Horne's Deep dive on CMMC rulemaking timeline: https://www.youtube.com/watch?v=qyLDQxo-YPg

Federal Rulemaking book: https://www.amazon.com/Rulemaking-Government-Agencies-Write-Policy/dp/1483352811/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e13&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/