Zero Trust is NOT complicated!

Don't believe me? Let me introduce you to its creator!

In this episode, Jacob speaks with John Kindervag, the creator of Zero Trust.

John is the Chief Evangelist at Illumio where he accelerates awareness and adoption of Zero Trust Segmentation.

In the episode he shares the origin story of Zero Trust starting with his time at Forrester Research. He explains the fundamental principles of Zero Trust, debunks common misconceptions, and how you can implement Zero Trust using a 5-step model.

Here are a few highlights from this episode:

• The broken trust model that has allowed the largest data breaches
• Defining Zero Trust and misconceptions about it
• How to implement zero trust in 5 steps
• "Things Run Amok" poem - if Dr. Seuss wrote about the Internet of Things

John's elevator pitch for Zero Trust is a masterclass in itself.

If you want to convince business leaders to invest in cybersecurity, you have to focus on how that investment will benefit the business. John does exactly that here and we should all take note.

Illumio is a Zero Trust Segmentation company that prevents breaches and ransomware from spreading across hybrid environments. Their platform visualizes traffic flows, automatically sets granular segmentation policies, and isolates critical assets and compromised systems. Founded in 2013, Illumio protects organizations of all sizes, from Fortune 100 to small businesses.

Follow John on LinkedIn: https://www.linkedin.com/in/john-kindervag-40572b1/

Illumio Website: https://www.illumio.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e30&utm_campaign=courses

Introducing the Cisco Whistleblower.

In this episode, Jacob speaks with lawyer Hamsa Mahendranathan about the FIRST cybersecurity False Claims Act (FCA) lawsuit that reached a settlement!

This goes all the way back to 2008 believe it or not… The lawsuit was FINALLY settled in 2019!

As we all know, the DoJ has intervened in the Georgia Tech NIST 800-171 FCA whistleblower complaint.

Wonder what the whistleblowers may be dealing with? Maybe you want to blow the whistle yourself and don't know what to expect?

Here are a few highlights from this episode:

• How Hamsa's client unwittingly became a whistleblower
• The fallout he experienced for doing the right thing
• Mitigations for career consequences of blowing the whistle
• The complexity of working with federal, state, and local False Claim Act laws

And so much more!

If you are interested in the False Claims Act and cyber compliance, you won't want to miss this one! This episode is truly one for the history books!

Read the whistleblower complaint: https://cdn.grcacademy.io/web/20240824091900/us-ex-rel-glenn-vs-cisco-fca-complaint.pdf

Follow Hamsa on LinkedIn: https://www.linkedin.com/in/hamsa-mahendranathan/

Whistleblower Partners Website: https://www.whistleblower.law/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e29&utm_campaign=courses

In this episode, Jacob speaks with a panel of information security experts from universities about CMMC and their experience preparing for it!

They discuss security and compliance challenges at universities, the Penn State NIST 800-171 False Claims Act lawsuit, and much more!

Here are some highlights from the episode:

• How universities are different from other types of organizations
• Different compliance requirements for universities
• Who is involved in the execution of a government contract?
• The drivers of cybersecurity compliance at universities
• Thoughts on the Penn State False Claims Act lawsuit
• How to drive positive cybersecurity change at a university
• CUI enclaves at universities
• Areas of CMMC that need clarification

Here are the panelists:

• Jay Gallman - Duke University (https://www.linkedin.com/in/jay-gallman/)
• Kolin Hodgson - Notre Dame (https://www.linkedin.com/in/kolin-hodgson-cisa-cissp-4bbb9a/)
• Melissa Kimble - University of Maine (https://www.linkedin.com/in/melissa-kimble/)
• Wendy Epley - University of Arizona (https://www.linkedin.com/in/wendyepley/)

Thanks to our sponsor Keeper Security!

Need a secure file sharing solution? Register for a webinar showing how Defense Contractors can share sensitive information using Keeper: https://grcacademy.io/ref/keeper/webinar-cmmc-file-sharing-april-2024/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e20&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob talks to Dr. Raghuram Srinivas from MetricStream!

They discuss the beginnings of AI, how it has evolved over time, and the risks and opportunities it presents to companies around the world!

Raghuram is the Senior Vice President of Product Management at MetricStream. He is an AI expert and has worked in AI-focused roles at JPM Chase, KPMG, as well as the Watson Group at IBM.

Here are some highlights from the episode:

• The history of AI
• How do large language models (LLMs) work?
• AI for GRC & GRC for AI
• Using AI in cyber operations
• The future of cyber risk

Follow Ragu on LinkedIn: https://www.linkedin.com/in/raghuramsrinivas/

MetricStream website: https://www.metricstream.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online cyber GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e19&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob talks to Patrick Perry from Zscaler. They discuss Zscaler's experiences navigating the FedRAMP and DoD Impact Level processes as well as Zero Trust!

Pat is a cybersecurity expert with over 20 years of experience. He currently works at Zscaler as Field CTO and is responsible for the alignment of Zscaler capabilities to the DoD and IC mission sets in order to provide dynamic, mission-focused, innovative approaches to enable transformation and zero trust to warfighter organizations.

Zscaler U.S. Government Solutions enables the U.S government and their strategic partners to securely transform their networks and applications for a mobile and cloud-first world. Zscaler's FedRAMP Moderate/High/DoD IL5-authorized solutions ensure fast, secure connections between users and applications, regardless of device, location, or network.

Here are some highlights from the episode:

• Zscaler's Approach to FedRAMP, DoD Impact Levels, and CMMC
• Shared Responsibility Between Cloud Service Providers and Users
• What Zero Trust is and how it relates to CMMC
• Zero Trust Pillars
• Thoughts on Federal Approach to Zero Trust

Follow Patrick on LinkedIn: https://www.linkedin.com/in/perrypn2019/

Zscaler website: https://www.zscaler.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e18&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Derrich Phillips from Aspire Cyber about best practices and tips when filling out cybersecurity questionnaires.

Derrich Phillips is a cybersecurity expert with over 20 years of experience in the field. He started his career in the Army's security operations center, defending networks against cyber attacks. As the founder of Aspire Cyber, he focuses on helping small companies prove their cybersecurity readiness to handle information for enterprise customers.

Here are some highlights from the episode:

• How Derrich get into cybersecurity
• The what and why of security questionnaires
• How to save time and money while filling out a security questionnaires
• When to push back on overly burdensome requirements

Check out this video where Derrich and I discuss how ChatGPT can be used in information security compliance: https://youtu.be/IAAJPJLBeaY

Follow Derrich on LinkedIn: https://www.linkedin.com/in/derrichphillips/

Aspire Cyber website: https://www.aspirecyber.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e17&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Shauna Weatherly from FedSubK.com.

Shauna recently retired from the federal government after serving more than 35 years in the federal acquisition / contracting space! During her career she served as chief of contracting, contracting officer representative, and as an advisor to the Civilian Agency Acquisition Council (CAAC).

She even has direct experience in the federal rulemaking process, and contributed to FAR case 2017-016, also known as the FAR CUI rule, which will contractually require the implementation of NIST SP 800-171 on federal contracts.

Join us as we pull back the curtain on the federal rulemaking process and more!

Here are some highlights from the episode:

• Shauna’s background
• Steps and roles involved in the federal rulemaking process
• What is a FAR case?
• What is OIRA’s role?
• The relationship between the FAR and DFARS
• How to provide effective public comments on regulations
• Impacts of FAR case 2017-16 - CUI rule
• Impacts of FAR case 2021-17 - Cyber Threat and Incident Reporting and Information Sharing regulation
• Impacts of FAR case 2021-019 - Standardizing Cybersecurity Requirements for Unclassified Information Systems

Follow Shauna on LinkedIn: https://www.linkedin.com/in/shauna-weatherly/

FedSubK website: https://www.fedsubk.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e16&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Michael Greenman from Deltek.

Michael has worked in government and cloud-based technology for over 20 years, and currently works at Deltek in the Product Strategy group and is the evangelist for cybersecurity compliance and cloud services!

Michael shares Deltek's perspective on security and compliance as a cloud service provider.

Here are some highlights from the episode:

• How Michael got into cybersecurity
• Deltek's government clouds
• DFARS 252.204-7012's C - G incident reporting requirements
• How cloud providers can demonstrate FedRAMP moderate equivalency
• What is a shared responsibility matrix
• The need for a defense focused CSP / ESP / MSP marketplace

Follow Michael on LinkedIn: https://www.linkedin.com/in/michael-greenman-94952a3/

Deltek website: https://www.deltek.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e15&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Dr. Thomas Graham who is a CMMC assessor.

Thomas is the Vice President and CISO at Redspin, and Redspin is the first CMMC Third Party Assessor Organization (C3PAO)!

This episode has a lot of great information for the defense industrial base!Here are some highlights from the episode:

• Redspins' experience becoming the first C3PAO
• Notable changes in NIST 800-171 r3
• CMMC challenges and misconceptions
• Tips for selecting the right CMMC consultant and assessor
• Other countries interested in CMMC
• Each phase of the CMMC assessment process
• What CMMC practices can be POA&M'd according to current guidance
• And more!

Follow Thomas on LinkedIn: https://www.linkedin.com/in/tgrahamphd/

Redspin website: https://www.redspin.com

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e14&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob Hill talks with Jacob Horne from Summit 7!

Jacob Horne is Summit 7's Chief Security Evangelist, and has a unique genetic superpower that allows him to delve into NIST publications & government regulations without experiencing even a hint of boredom!

In the episode Jacob Horne explains the history leading up to the CMMC program, when CMMC may be required, and the significance of the FAR CUI rule!

Here are some key topics we discussed:

• How he started in cybersecurity
• The history leading up to CMMC
• What is rulemaking
• The two CMMC rules we are waiting on
• When CMMC may appear in contracts
• The FAR CUI rule and its importance
• Why DHS and VA regulations were silent on NIST 800-171
• When will the FAR CUI rule drop?

Follow Jacob on LinkedIn: https://www.linkedin.com/in/jacob-evan-horne/

Summit 7 website: https://www.summit7.us/

Jacob Horne's Deep dive on CMMC rulemaking timeline: https://www.youtube.com/watch?v=qyLDQxo-YPg

Federal Rulemaking book: https://www.amazon.com/Rulemaking-Government-Agencies-Write-Policy/dp/1483352811/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e13&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob talks with Dr. Ron Ross from NIST! This is the final of a three-part series with Dr. Ross.

In the episode Dr. Ross shares his thoughts on topics like ChatGPT, zero trust, his top 5 security controls, advice to folks new to cybersecurity, and much more!

Here are some key topics we discussed:

• Top challenges in federal cybersecurity compliance
• How to enable positive cybersecurity culture
• The missing strategic view in cybersecurity
• Zero Trust
• LLMs like ChatGPT
• The importance of managing complexity
• Dr. Ross's top 5 critical security controls
• Career advice to folks new to cybersecurity

Dr. Ross is the author of multiple publications including Risk Management Framework (RMF), NIST 800-53, NIST 800-171, and many more!

Dr. Ross leads the FISMA Implementation Project which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure.

He also leads the Joint Task Force, an interagency group that includes the DoD, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for developing a unified information security framework for the federal government and its contractors.

Follow Ron on LinkedIn: https://www.linkedin.com/in/ronrossecure/

NIST CSRC Website: https://csrc.nist.gov/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e12&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob talks with Dr. Ron Ross from NIST! This is the 2nd of a three-part series with Dr. Ross.

In the episode Dr. Ross shares a status update on NIST 800-171 revision 3. At the time of this recording, NIST has released the 1st initial draft, and the 1st public comment period has closed.

Here are some key topics we discussed:

• Notable changes in NIST 800-171 r3
• Thoughts on public comments
• Strategy on the ODPs
• Encryption (FIPS 140) control ODP
• Independent Assessment control
• Security Protection Assets
• Implementation examples

Dr. Ross is the author of multiple publications including Risk Management Framework (RMF), NIST 800-53, NIST 800-171, and many more!

Dr. Ross leads the FISMA Implementation Project which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure.

He also leads the Joint Task Force, an interagency group that includes the DoD, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for developing a unified information security framework for the federal government and its contractors.

Follow Ron on LinkedIn: https://www.linkedin.com/in/ronrossecure/

NIST CSRC Website: https://csrc.nist.gov/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e11&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

Think your users are resistant to CMMC? You ain't seen nothin' yet!

In this episode, Jacob speaks with Daniel Stark of Meerkat Cyber about the unique CMMC compliance challenges in a manufacturing environment.

Here are some highlights:

• Daniel's experience running IT in a family-owned manufacturing shop
• How Controlled Unclassified Information (CUI) flows on the shop floor
• Physical and environmental security constraints unique to manufacturing
• How ISO 9001 / AS9100 can help get the buy in for CMMC
• Advice for manufacturing IT staff dealing with CMMC compliance
• Tips on hiring the right CMMC consultant and assessor

I really enjoyed learning more about how machine shops operate and the unique challenges they have when it comes to CMMC compliance!

It's awesome that there are folks in the CMMC ecosystem that are familiar with manufacturers!

Manufacturing is an extremely different type of environment and in my opinion "normal" office IT assessment experience won't cut it. Hire wisely, folks!

Follow Daniel on LinkedIn: https://www.linkedin.com/in/daniel-stark-a85694222/

Meerkcat Cyber Website: https://meerkatcyber.com/

-----------

Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e28&utm_campaign=courses

In this episode Jacob talks with Dr. Ron Ross from NIST! This is the 1st of a three-part series with Dr. Ross.

In the episode Dr. Ross shares the fascinating history of NISTs involvement in cyber security!

Here are some key topics we discussed:

• How he started at NIST and the projects he has worked on
• NIST's and the Joint Task Force's Mission
• How he convinced the DoD to transition from DIACAP to RMF
• The history of continuous monitoring program
• The origins of NIST 800-171
• Why NIST did not adopt ISO 27001
• The goal of NIST 800-160

Dr. Ross is the author of multiple publications including Risk Management Framework (RMF), NIST 800-53, NIST 800-171, and many more!

Dr. Ross leads the FISMA Implementation Project which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure.

He also leads the Joint Task Force, an interagency group that includes the DoD, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for developing a unified information security framework for the federal government and its contractors.

Follow Ron on LinkedIn: https://www.linkedin.com/in/ronrossecure/

NIST CSRC Website: https://csrc.nist.gov/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e10&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob talks with operational technology (OT) cybersecurity expert Joseph Loomis!

Joseph is the President of Secrabus Inc where he performs cybersecurity assessments on Oil & Gas companies to help elevate their security posture and protect their critical assets.

Joseph shares his experiences after more than 15 years in the Oil & Gas industrial control system (ICS) and OT cybersecurity space.

Here are some key topics we discussed:

• How he started in cybersecurity
• The just in time deliverability aspect of Oil & Gas
• IT and OT convergence
• Defense in depth architecture
• GRC Standards that apply to the Oil & Gas industry
• Purdue Model for ICS Security
• His risk assessment methodology
• Interesting stories
• And more!

Follow Joseph on LinkedIn: https://www.linkedin.com/in/josephloomis/

Secrabus Inc's Website: https://secrabus.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e9&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob talks with GRC professional Jonathan Fisher.

Jonathan shifted into the GRC field after 20 years in the military supporting aircraft maintenance, and explains how others can do the same!

Here are some key topics we discussed:

• What GRC is
• How he transitioned into GRC and cybersecurity
• How nontechnical folks can transition into cybersecurity by starting in a GRC role
• How most folks already have transferrable experience
• What GRC frameworks to focus on
• How to use LinkedIn to boost your career

Follow Jonathan on LinkedIn: https://www.linkedin.com/in/jonfisher11/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e8&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with privacy attorney Donata Stroink-Skillrud. Donata is the chair of the American Bar Association’s ePrivacy committee, and has an excellent understanding of privacy laws in the US and the EU.

She shares the impact of US and EU privacy laws on businesses, how they can plan to comply, and much more!

Here are some key topics we discussed:

• The importance of privacy laws
• Differences between EU and US approaches to privacy
• The impact of GDPR and why many consider it to be the gold standard in privacy laws
• Current and emerging state-level privacy laws in the US
• Implications of privacy laws for small businesses
• The importance of only collecting the information you need
• The status of the US's federal privacy law and how it compares to the GDPR
• How GRC compliance frameworks like NIST’s Privacy Framework and ISO 27001 can help comply

Donata's website: https://termageddon.com

Follow Donata on LinkedIn: https://www.linkedin.com/in/donata-stroink-skillrud/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e7&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Koren Wise who is a highly experienced CMMC consultant, assessor, and instructor. Koren offers insights from her experience helping companies prepare for CMMC, and gives advice on hiring the right CMMC consultant and assessor for your business - and much more!.

Here are some of the topics we discussed:

• How she got to where she is today
• Common misconceptions businesses have about CMMC
• Who should take the CMMC Certified Professional (CCP) course
• Real world problems and solutions
• What is a CUI enclave?
• Addressing CUI data sprawl in a business
• Joint Surveillance Assessments
• Managing CMMC compliance like a project
• Hiring the right CMMC consultant
• Hiring the right CMMC assessor

Follow Koren on LinkedIn: https://www.linkedin.com/in/koren-wise/

Koren's website: https://www.wtinetworks.com

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e6&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Rick Rosenberry about Cyber Insurance in the context of DoD and government contracting.

Rick is an insurance broker and a CMMC Registered Practitioner, and he explains that not all cyber insurance policies are equal and the importance of working with an insurance broker that understands cybersecurity and your regulatory environment.

Here are a few of the topics we discussed:

• Overview of cyber insurance fundamentals
• Key roles in the cyber insurance process
• How underwriters assess a business's cyber risk
• Critical security controls underwriters want in place
• Benefits of compliance frameworks like NIST 800-171 and ISO 27001
• False Claims Act cyber insurance claim scenarios
• Getting the right coverage to support DFARS 252-204-7012 incident reporting

Follow Rick on LinkedIn: https://www.linkedin.com/in/rick-rosenberry/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e5&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Laura Rodgers about her work helping to prepare North Carolina businesses for the DoD's Cybersecurity Maturity Model Certification (CMMC).

Laura has established an excellent training program that guides North Carolina businesses in the creation of cybersecurity programs. The effort is in collaboration with the North Carolina Military Business Center, North Carolina State University, and other strategic partners.

Here are a few of the topics we discussed:

• Unique challenges faced by small businesses
• Concerns the government is not properly marking or is overmarking documents as CUI
• Importance of collaboration between technical and compliance teams
• Challenges that incident response presents to small businesses.

Follow Laura on LinkedIn: https://www.linkedin.com/in/lauradrodgers/

Cyber NC website: https://www.cybernc.us/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e4&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Jon Watkins about power grid security. Jon is a cybersecurity expert and the founder of the Rural Electric Cyber Advancement Program (RECAP)!

RECAP enables peer cybersecurity assessments among electric utility cooperatives. Jon has conducted multiple RECAP assessments for co-ops throughout the US.

Jon tells us about how he started in cybersecurity, the history of electric cooperatives, how power grid cybersecurity is different, how OT and SCADA are used to enhance the reliability of the grid, notable power grid cyber incidents, and RECAP.

Follow Jon on LinkedIn: https://www.linkedin.com/in/jonrwatkins/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e3&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with master Certified Ethical Hacker instructor Eric Reed about his background, how he started teaching, and several scenarios explaining how hackers compromise business networks.

Eric's website: https://ericreedlive.com/

Follow Eric on LinkedIn: https://www.linkedin.com/in/ericreedlive/

Eric Reed is a master cybersecurity instructor with more than 30 years of IT experience! He has been teaching since 2005 and is a master at his craft.

Eric specializes in instructor led cybersecurity training for the following certifications:

• Certified Ethical Hacker (CEH)
• Computer Hacking Forensic Investigator (CHFI)
• Certified Security Analyst Certification
• Certified Network Defender
• CompTIA’s Security+
• Certified Information Systems Security Professional (CISSP)

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e2&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode Jacob speaks with Rick Lemieux of the DVMS Institute about the NIST Cybersecurity Professional training program, how it started, the government and private organizations that have adopted it, and its courses.

The NIST Cybersecurity Professional Program is designed to help organizations create a culture-driven, adaptive, cyber-resilient enterprise capable of creating, protecting, delivering digital business value, and how the NIST CSF can be used to help manage digital business risks and ensure improved governance.

Accredited through APMG International, assured through the UK’s National Cyber Security Centre (NCSC), and listed as qualified cyber training by Cybersecurity and Infrastructure Security Agency (CISA) in the USA, the NIST Cybersecurity Professional training program teaches individuals and organizations how to engineer, operationalize and continually improve a NIST CSF Program.

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e1&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

So… How do I get a CMMC’d early?

In this episode, Jacob speaks with Steven Molter of IntelliGRC about his experiences helping IntelliGRC clients complete NIST 800-171 Joint Surveillance Voluntary Assessments (JSVAs).

Here are some highlights:

• The JSVA process & how to request one
• The different teams within DIBCAC
• The challenge of subjectivity during assessments
• Advice for companies preparing for JSVAs
• How a company convinced DIBCAC to "upgrade" from a traditional DIBCAC high assessment to a JSVA

According to the proposed CMMC program rule, JSVAs are eligible to convert to CMMC level 2 certifications once the CMMC program goes live assuming certain conditions are met:

• Perfect assessment score
• No open assessment POA&Ms

Steve shared some great lessons for those preparing for JSVAs and CMMC assessments. If you're prepping for either, you won’t want to miss this episode!

Also, just in case you didn’t know, IntelliGRC customers receive my DIB-focused CMMC Overview Training! No other GRC platform that I'm aware of today provides comprehensive foundational CMMC training to their customers!

If you are looking for a GRC platform to manage your CMMC compliance program, check out IntelliGRC!

Follow Steve on LinkedIn: https://www.linkedin.com/in/steven-molter-apologeticz/

Follow IntelliGRC on LinkedIn: https://www.linkedin.com/company/intelligrc/

IntelliGRC Website: https://www.intelligrc.com/

IntelliGRC YouTube Channel: https://www.youtube.com/@intelligrc

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e27&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob speaks with Brian Kowalski, Senior Vice President of Federal at Hypori.

In the episode they discuss Hypori's origin story and its innovations in the mobile security space.

Here are some highlights from the episode:

• Hypori's origin story and its roots starting as an NSA Commercial Solutions for Classified Program (CSfC) product
• How it is different from traditional Mobile Device Management (MDM)
• How it works, its certifications, and its deployment options
• How Hypori can help achieve CMMC compliance

We don't think about it much, but mobile devices really are a huge risk - just think of how much information is on your phone!

If you work in cybersecurity, you should know about this unique option to provide secure mobile access!

Follow Brian on LinkedIn: https://www.linkedin.com/in/brian-kovalski-057b8a7/

Hypori Website: https://www.hypori.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e26&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob speaks with Mr. Mark Nicholls!

Mark is the CEO of Information Professionals Group and has over 30 years of experience!

In the episode they discuss the business case for information security, and how cybersecurity professionals can effectively communicate with the C-suite and other business leaders!

Here are some highlights from the episode:

• The Importance of information security in business
• The Importance of securing data
• How cyber professionals should engage with business leaders
• Roleplaying exercise - bad/good examples of a cyber pro trying to convince a CEO
• How active listening can help you make a difference

Follow Mark on LinkedIn: https://www.linkedin.com/in/markdnicholls/

Information Professionals Group Website: https://www.informpros.com.au/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e25&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob speaks with Penetration Tester & Social Engineer Chris Silvers!

Chris Silvers is the founder of CG Silvers Consulting! Chris has a vast amount of experience ranging from CMMC assessments to penetration testing. He even won the prestigious DEF CON black badge during the DEF CON 24 Social Engineering Capture the Flag (SECTF)!

In this episode they focus on how organizations can defend against social engineering attacks!

Here are some highlights from the episode:

• Winning the DEF CON SECTF black badge
• Social engineering tactics and tools
• CEO impersonation / fraud attacks
• How can GRC help defend against social engineering?
• Why businesses shouldn't start with a penetration test

Follow Chris on LinkedIn: https://www.linkedin.com/in/cgsilvers/

Chris's Website: https://www.cgsilvers.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e24&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob speaks with ISO 27001 expert Aron Lange!

Aron is the founder of the GRC Lab, and a Udemy instructor with more than 11,000 students! He is an experienced auditor for management systems based on ISO 27001, ISO 9001, ISO 27018 and ISO 22301.

In this episode they discuss the essentials of ISO 27001 including the history of the standard and the changes in the latest revision, but also the significance of the organizations involved and the danger of ISO “certification paper mills.”

Here are some highlights from the episode:

• The history of ISO 27001
• Changes in ISO 27001:2022
• Who are the IAF, accreditation bodies, and certification bodies?
• The importance of hiring an IAF affiliated certification body
• ISO scoping
• Maintaining an ISO certification
• Best practices for internal audits

Follow Aron on LinkedIn: https://www.linkedin.com/in/aronlange/

Aron’s Udemy courses: https://www.udemy.com/user/aron-lange/

Aron’s Website: https://www.aronlange.com/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e23&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/

In this episode, Jacob speaks with cybersecurity researcher Patrick Garrity!

Patrick Garrity is a seasoned security researcher at VulnCheck where he focuses on vulnerabilities, vulnerability exploitation and threat actors.

In this episode they discuss the importance of integrating threat intelligence into vulnerability management using the Exploit Prediction Scoring System (EPSS), CISA Known Exploited Vulnerabilities Catalog, and the changes in CVSS 4.0!

Here are some highlights from the episode:

• How Exploit Prediction Scoring System (EPSS) can predict exploitation
• How vulnerability scanners integrate EPSS
• CISA's Known Exploited Vulnerabilities (KEV) Catalog
• The national security implications of vulnerability management

Follow Patrick on LinkedIn: https://www.linkedin.com/in/patrickmgarrity/

VulnCheck Website: https://vulncheck.com/

Thanks to our sponsor Keeper Security!

Need a FedRAMP authorized Password Manager? See how Keeper can help you comply with CMMC: https://www.keepersecurity.com/cmmc/?utm_source=grcacademy&utm_medium=display&utm_campaign=cmmc_video

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e22&utm_campaign=courses

In this episode, Jacob speaks with attorney Julie Bracker!

Julie is the whistleblower attorney for both the Penn State University and Georgia Tech University FCA complaints. These complaints essentially allege the defendants misrepresented their compliance with NIST 800-171!

They discuss the False Claims Act and the DOJ's Civil Cyber Fraud Initiative, and what federal contractors can do to avoid being the subject of a whistleblower complaint!

Here are some highlights from the episode:

• What is the False Claims Act?
• What is the DoJ's Civil Cyber Fraud Initiative?
• What are the risks and rewards for whistleblowers?
• Who are the targets of the initiative?
• Can companies blindly rely on their MSP and be safe?
• How to quantify damages of cyber noncompliance fraud
• DoJ Civil Cyber Fraud settled lawsuits so far
• Georgia Tech and Penn State FCA cases

Follow Julie on LinkedIn: https://www.linkedin.com/in/juliekeetonbracker/

Bracker & Marcus LLP Website: https://www.fcacounsel.com/

Penn State FCA Complaint: https://cdn.grcacademy.io/web/20240325204912/penn-state-university-false-claims-act-complaint.pdf

Georgia Tech FCA Complaint: https://cdn.grcacademy.io/web/20240325204909/georgia-tech-university-false-claims-act-complaint.pdf

2023 DoJ Report of FCA settlements (more than $2.68 billion): https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-268-billion-fiscal-year-2023

-----------

Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e21&utm_campaign=courses

Need a FedRAMP authorized Password Manager?

Start a free 14-day trial of Keeper: https://grcacademy.io/ref/keeper/b2b-trial/

See the CMMC controls that Keeper meets: https://grcacademy.io/ref/keeper/cmmc-controls-sheet/