Topic: Title: Data Governance and Threat Intelligence Converge

In Episode 83 of TheCyber5, we are joined by our guest, Egnyte’s Chief Governance Officer, Jeff Sizemore.

We discuss the Cybersecurity Maturity Model Certification (CMMC) and the impact on Department of Defense (DOD) contractors to mature their cybersecurity hygiene in order to compete for US government contracts. CMMC was based on NIST Standards 800-71. 

Here are 4 topics we discuss in this episode:

• Why Does CMMC Matter?

In the near future, contracts are going to be rated L1-3 and if contractors are not certified up to a certain level, they cannot bid on the contract. This is more focused on the smaller defense contractors who up to now, have generally disregarded compliance measures yet are major targets for nation state cyber attacks. 

• Failure to Comply with CMMC Could Mean Perjury

Compliance for DOD contractors is not new and companies were previously allowed to self-attest. When DOD regulatory bodies did the research, 75% of companies were found to be not in compliance. For enforcement, the Department of Justice is now involved and if contractors lie, it’s considered perjury. 

• Compliance Cybersecurity Controls Contractors Can Implement

1. Before choosing an email provider, cloud environment, or file share, be sure they are FedRamp compliant. 
2. Automate the search capability within secure enclaves so CUI is detected in an environment.
3. Automate the ability to be audited so contractors aren’t wasting time in spreadsheets.

• Incident Response and Threat Intelligence Controls Needed

Threat intelligence is in an evolutionary stage for larger contractors to monitor their subcontractors to determine if they have vulnerabilities and/or if they have been breached. Third party risk score cards are generally not actionable for defense contractors because the vulnerabilities are not put into context to a business risk. The key is to bring together a threat intelligence picture that can alert on actionable data leaks.