Read transcript
Hide transcript
**Voiceover:** Welcome to Hash It Out, a podcast built by data security experts. We decipher the data security landscape through honest conversations about today's headlines and tomorrow's challenges, brought to you by Virtru. Let's dive in.
Andrew Lynch: Welcome to Hash It Out. Today, we're talking CMMC Level 2 certification with Maya HTT. Globally, fewer than 600 organizations have achieved Level 2, and they are one of them. We've got the full team: the certified organization, their consultant, and their lead assessor, sharing what actually works, common pitfalls, and how to choose the right partners. Let's hash it out.
Welcome, everyone. Thank you for joining this episode of Virtru's Hash It Out. Today, we're going to be going over the excitement around achieving Level 2 certification with CMMC. We have three very special guests joining. I will let each of them introduce themselves and their role in this conversation today. Jonathan, kick it off to you to start first.
Jonathan Bieber: Hi, I'm Jonathan Bieber, and thank you for having me on the podcast today. I'm the IT Director and CISO at Maya HTT, and I've been around for almost 15 years now.
Andrew Lynch: Great. Thanks, Jonathan. Really enjoy you joining today. Christopher, would you mind introducing yourself?
Christopher Augoustis: Yes, my name is Christopher Augoustis. I'm a CMMC RP at StreamScan, and we're based out of Montreal.
Andrew Lynch: Great. Thanks for joining as well, Christopher. And Brendan?
Brendan Kenney: Yes. Hello, everyone. My name is Brendan Kenney. I am a Lead Consultant at Forvis Mazars. I'm also a lead CCA, or CMMC Certified Assessor, and I'm based out of Buffalo, New York.
Andrew Lynch: Great. Well, thanks again. So, I think everyone can tell that we're going to be talking about CMMC, achieving a Level 2 certification, which Maya HTT did accomplish, and a lot that goes into that. Why don't we kick it over to you, Jonathan, first? Would you mind just sharing a little bit about Maya HTT and what your organization does?
Jonathan Bieber: Totally. So, Maya HTT is a Montreal-based company here in Canada. Explaining what the organization does in a few words is not that simple, but at our core, we are a highly specialized provider of industry software solutions. We focus on solving complex engineering challenges in the world of 3D simulation. We're also bringing expertise in different areas, such as industrial AI and Product Lifecycle Management (PLM) as well. But in a nutshell, if there's an aircraft, a satellite, or an engineered system, our tools can simulate and assess its behavior.
We work with government organizations in both the U.S. and Canada, including customers that are associated with the Department of Defense. This is the key reason we pursued and achieved the CMMC Level 2 certification.
Andrew Lynch: That's great. So, just to recap for everyone, as of today, I think on the last Cyber Week Town Hall, there were fewer than 600 organizations who have achieved Level 2 certification for CMMC. Jonathan, could you expand on what led your organization to determine going after that certification now versus maybe waiting for the future?
Jonathan Bieber: We're being proactive. We started with the NIST SP 800-171 framework a few years ago, and we knew that CMMC would become a law in the United States. We were lucky that there was an initiative here in Quebec as well to encourage organizations to get certified and be more mature on their security frameworks. We started working with StreamScan—with Chris here—and basically, we wanted to be ahead of the game. We wanted to make sure we took the time to assess and then do the work to be able to deliver to our customers on time. We were foreseeing that they would be requesting it, and we were right.
Andrew Lynch: That's great. And again, congratulations on the achievement. Being one of the first in the world to accomplish this is no easy feat. You mentioned Chris, so Chris is someone at StreamScan that you partnered with for you all to get prepared to meet Level 2, correct?
Jonathan Bieber: Correct.
Andrew Lynch: Great. Well, I'd like to then pass it over. Chris, maybe could you introduce what StreamScan does? And maybe both of you can just share a little bit about how you found each other, and Christopher, what StreamScan does for organizations to help them with CMMC?
Christopher Augoustis: Yep. So at our core, we're a cybersecurity company. We started doing incident response at the beginning; that was our core business. We later realized that there was a gap in technology, especially here in Canada. A lot of the major technologies are really coming out of the U.S., and there was really nothing that was encompassing the whole cybersecurity framework. There was nothing that could bridge technologies together.
So, we decided to build out our solution. It's called CDS. It's basically an IDS/IPS system with our managed team behind it. A couple of years back, when CMMC was starting in 2020, our boss was looking at it and saying, "Well, this is coming. It's already been here for a while. Nobody's really taking it seriously." So we started moving forward in CMMC and looking at NIST 800-171 and what we can do to prepare and how it's going to affect the supply chain. We quickly realized that this was not just going to be based in the U.S.; this was coming to Canada as well. So we wanted to be one of the front runners in this. We decided to become an RPO. That's when I joined the team, and then we started working with companies like Jonathan's through the program that he mentioned here in Quebec.
Andrew Lynch: That's great. Jonathan, maybe could you share what led your team to decide to go and work with someone like StreamScan first to get us ready even before pursuing getting the actual certification?
Jonathan Bieber: NIST 800-171 was a self-assessment. So it was really your own interpretation of what are the controls that are required. Going on with the CMMC certification, we knew that we were in a different game, that would be going through an assessment, and we wanted to get it right. It is requiring a lot of effort. If you look at the list of controls—and it was meant to be extended with the new version—we knew that there would be a lot of policies to write. We realized that we were operationally ready, but we were not necessarily at the level when it comes to policies in place. So we needed that experience that StreamScan brought, that Chris brought, to really understand the gap analysis of where we are at now and where we have to be.
Andrew Lynch: That's great. And maybe Chris, from initially working with Jonathan and just organizations like theirs, what are some of the common gaps that you see that maybe organizations need more help with or overlook getting ready for their assessment?
Christopher Augoustis: The common denominator with, I would say, 95% of the companies we work with is documentation and policies. It's something that a lot of companies don't necessarily do very much. They do the work. When we did the gap assessment with Jonathan, most of the controls were there. There were a couple of things that are NIST-specific that we wanted to just clarify, but policies were the biggest thing. We know going through these assessments that even though you can prove that you do it, if you do not have any documentation supporting it, it's like you do nothing. So that's the biggest piece that companies are missing: that documentation. A lot of these implementations are, "Let's put a GPO in place, let's put a group together," and that's as much as a lot of these controls go. So policies are really a huge piece to this puzzle that a lot of companies are missing.
Andrew Lynch: Got it. Maybe could you share in more detail, Jonathan, what sort of preparation did StreamScan help you with? Did they do any mock assessments? Did they help with documentation? What was most valuable from your perspective?
Jonathan Bieber: I would say pretty much everything. They are equipped to help you with everything. When it comes to the technology standpoint, it's really up to you. They can, of course, bring some advice, but they're, I would say, solution-agnostic in that way. So they will make sure that they understand the solution you're using, but they will help you with the gap analysis, which is first, like I said, where everything begins—to realize where you stand.
They will help you with the documentation as well. So they do have templates and documents to help you understand because that's also one thing to be like, "Well, you need all those policies in place," but where do I start? This is where they're able to guide you through the process. So it's very valuable. At the time, we didn't have a compliance department, and you have to consider that it could require a person full-time if you're looking at getting certified within a year, for instance.
Andrew Lynch: Great. So Brendan, I'm going to pass it over to you now and I'd like to get your perspective on the preparation towards an assessment. You know, being an actual lead assessor working for a C3PAO, what sort of value do you see this sort of consulting preparation work adding to organizations that are trying to work towards achieving certification?
Brendan Kenney: Yeah, no, it's a great question. And I think really what it comes down to is what Chris had said earlier: just having that understanding of the controls. Jonathan got at this one too, about saying that doing the self-assessment and having their own interpretation is one thing, but understanding it from an assessor's perspective—or somebody who has been doing the assessments for a long period of time—they might have a differing opinion on what that control interpretation is. Bringing in a consultant can help bridge that gap between what you think the intent of a control is and what the actual intent is in NIST terms.
In addition to that, though, it never hurts bringing in a consultant to have that gut check, basically. Their job is to come in and tell you, "Are you doing this right? Are you not doing it right? Are your policies and other documentation actually aligned with how the control's been implemented?" That is one of the common pitfalls that we see as organizations. They have the controls in place. They have the documentation in place. However, there are misalignments in there. What we see is when an OSC (Organization Seeking Certification) brings in a consultant, the consultant comes in with a fresh mind, typically finds those misalignments, and corrects those before we come in as assessors.
Andrew Lynch: That's really helpful perspective. Thanks, Brendan. So Jonathan, obviously, you all selected to use Virtru to help with certain aspects around CMMC, specifically helping to encrypt data in certain workflows. And I know a lot of organizations very commonly think that, for example, Microsoft GCC High may be the only option or even a requirement. They may not know that something like Virtru is out there to be able to help. How did you all assess and justify staying on the commercial cloud and using Virtru?
Jonathan Bieber: That's a good question. We did start with a separate tenant, and it was not a GCC High. Initially, we wanted to separate the operations and make sure that we protect the data and it always stays on U.S. soil, and there is no risk of backing it up. But we quickly realized that it was becoming an added load and it was not necessarily the best approach. When you multiply systems, you multiply weaknesses. The more there is to protect, there's more to think about. Tomorrow, you're enforcing a setting on one, then you might forget it on the other one.
So we really focused on the integration parts of our systems, and that's where Virtru, I think, is a great solution because it does integrate with our systems in place without necessarily having to maintain multiple environments. Like you said, GCC High also comes at a cost, and we wanted to remain flexible on that part.
Andrew Lynch: Thanks for that, Jonathan. You mentioned being in Canada and having teams and offices in other countries, I'm assuming can add some complexities. Could you maybe speak to what were some additional considerations that you all had to consider and navigate through with that dynamic?
Jonathan Bieber: It does. A big part of it is the identity management—the way you manage who accesses what and who can administrate it or not. CMMC is also very well built in a way that you can still administrate a part of it, but not necessarily access the data. We just didn't want to take any risks. We actually have a power user in the United States that helps us assigning licenses and guide the different workers in our staff whenever they need training or help on the platform.
And then on top of that, because Virtru integrates with Microsoft very well on the identity provider side of things, we added conditional access policies to ensure that the identity of the person connecting to Virtru is verified, and the location is verified. So this way, we really were able to achieve a logical separation between the workers here in Canada and in the U.S. to protect the data.
Andrew Lynch: That's great. So it sounds like not just the fact that Virtru was able to save costs—which I know is important, as there are lots of additional costs that organizations are taking on as they're trying to meet CMMC—but it sounds like also the integrations were pretty seamless from your perspective with Virtru.
Jonathan Bieber: Yes, correct. The solution allows us to be agile. And I think that remains a big part of an adoption for an organization: to be able to integrate it within your stack of tools, but also for the users, essentially for the staff you're giving the tool to. They have to make sure it's part of their daily tools. If you make it a different platform every time, it becomes hard to use. They might use other systems. It might be harder to enforce. So it is a great asset.
Andrew Lynch: It sounds like there's the balance between "we need to meet the compliance," but we also need to ensure that people are actually using what we select. If they don't use it, they may try and go around it and use something that is not approved. And then essentially, you're contradicting what you tried to accomplish, which is having a process that people follow that's compliant.
Jonathan Bieber: And you do have to think about that all the time with CMMC because you do apply the controls. But one of the questions that Brendan's team is going to ask you is, "How do you enforce it?" And that is something that you have to provide an answer for.
Andrew Lynch: Yeah, Brendan, I actually wanted to ask you that. I'm just curious, in an assessment, do you ever see processes that seem to be much more difficult to follow than they actually expect? And you can maybe tell that they made this policy just to try and meet the control? Is that something that ever leads to further questions and perhaps then them not meeting the objective?
Brendan Kenney: Organizations that go through and read the CMMC assessment guide and the supplemental guidance from NIST 800-171 and other NIST documentation, sometimes get it in their heads that they have to implement some sophisticated solution or sophisticated process, and that's never the case. The intent is just to meet those 320 assessment objectives, and a lot of the times you get to define that. Then us as assessors, we're just going to come in and assess you based on what you say you're doing. If we come in and you say that you're doing something, you have to be prepared to be assessed against exactly that.
Andrew Lynch: That makes sense. Thanks, Brendan. Chris, I know earlier you mentioned, and Jonathan has shared, the value that your team added in getting them prepared. And I know that being a consultant, you're not really giving advice on what vendors to go with; you're taking more of an unbiased approach. But I know that often when it comes to encryption and secure file sharing, there are options, but a lot of them can be really hard to use and add user friction. What sort of consideration do you take around that? And how did you see Virtru, when they came to you, being able to help with that?
Christopher Augoustis: Yeah, so we do get a lot of questions about: do we do enterprise assessment or enclave assessment? And it kind of guides the conversation for the customer. It is one of the first things we want to understand about the customer when they come to us. Is it everybody in your organization that needs to get certified, or are we talking about 10, 12 people out of 100? Then we start narrowing it down.
A lot of customers come to us and say, "Well, we want to buy GCC High, but how do we do that?" And for a lot of customers in Canada, it's almost impossible. You need to be a U.S. person and you need to have a U.S. business location to be able to get access to a GCC High environment. So for a lot of Canadian companies, it's almost impossible to get that. So we immediately saw that right away because we were getting a lot of these questions. So we wanted to find a solution that works.
We go based on the customer. If they're 100% cloud, we're not going to sit and try to tell them, "No, you need to come back on-prem, buy a solution because it's better." Our goal is to get the customer certified as fast as possible and the easiest way possible. We don't want it to be super complicated where you need to buy 15 tools, whereas maybe two or three can do the job.
So when Jonathan came to us with Virtru as an option, we had no idea about Virtru at the time. We looked into it and we had no concerns at that point. And I think up until a couple of weeks ago, I hadn't even seen what the platform looked like. We didn't even have to go through it because of the documentation that was provided. We knew that Virtru would be a great solution to pass the certification.
On top of that, Jonathan didn't even have access to Virtru to show us what the platform looked like. So when we were looking at that and we had to start getting some evidence out to start seeing who has access, who doesn't have access, we kept using Jonathan as the example saying, "Hey, even the CISO doesn't have access to Virtru because he does not need access to any CUI data." So it was very easy for us to just focus on other controls rather than what Virtru is closing.
Andrew Lynch: That's great to hear. So Brendan, I know that being able to audit data and CUI is part of the CMMC assessment process. I'm curious from your perspective, where does that come into play? And being able to show that you can do that as an organization easily, what sort of value does that add to the assessment process?
Brendan Kenney: Yeah, so there are several different security requirements throughout the CMMC framework that handle things like audit and accountability, audit logging, audit trails. Some big ones that come to mind are controls 3.3.1 and 3.3.2: making sure that the organization has the ability to go through previous audit trails and be able to reconstruct what was exactly done with access to CUI, access to the platforms, being able to determine who modified things, who deleted things, things like that. Very important. Those controls, they're worth five points from that DoD scoring methodology. So, those are required. They don't allow for a POA&M. It's very important that OSCs get those correct during their assessment.
Andrew Lynch: That's really helpful. Thanks, Brendan. So, just to kind of wrap it up, last two questions for Christopher and Jonathan. I'll ask you, Jonathan, first: Just looking back, what is one lesson that you wish you had known at the start of your CMMC journey that you think would have made the process even easier?
Jonathan Bieber: I mentioned it before: going back to the documentation part, I would say start building the different policies. We always think we're doing our best, and that's great. However, comes when you realize that your operations are solid, you also have to have the processes well in place and documented. So I would say make sure that you start with the documentation part because obviously, you're already doing a big chunk of the operations.
Andrew Lynch: Thanks, Jonathan. And Chris, from your perspective, what is the number one piece of advice that you would give to an organization that you're consulting with that's trying to achieve Level 2 certification?
Christopher Augoustis: Yeah, so what we tend to do is tell them: find a good partner. There's a bunch of partners out there that can help you on the enclave side where they can help protect CUI, but also on your security monitoring piece. That is a big one that companies think, "Hey, we will just do this in-house," and then they don't understand what that entails.
You're looking at logs, you're reviewing logs, you're making sure that any alerts that are coming through at any time are being treated properly within time frames that you give in your guides that you're providing to the auditor. In 3.14.1, where you have vulnerabilities that need to be patched within a certain time, you need to make sure that you're following those.
So it's a big difficulty for a lot of customers to say, "Well, we want to patch within 24 hours," but now it's Friday night and nobody's there to do anything. An event came in over the weekend and we're telling the assessors that we can do this in 24 hours, but now it's been 48 hours because it's the weekend and nobody's going to touch it till Monday. And then when we're going out to show evidence, the auditor decides, and we open our tickets, we show one or two. And if it pops up that we haven't touched one in 48 hours, right there is a gap. And then it could possibly lead to a failed certification.
So we want to make sure that the person that you're working with, either they're certified already CMMC Level 2 like we are, or that you can do it in person. If your team is big enough, like Jonathan's team is able to do it, it was not a concern from us. They have a big enough team and they work all the time to close any vulnerability that's coming in, any threat that's coming through their system.
Andrew Lynch: That's great. So Jonathan, we do hear often that organizations, C3PAOs, consultants, they recommend to find a good partner. OSCs with these consultants and assessors work well together. Could you maybe speak to how did you all go about doing that, starting with maybe StreamScan?
Jonathan Bieber: So we had an initiative here in Quebec, as I mentioned earlier, and that really helped organizations to be connected to consultants. And StreamScan was part of the initiative. They were collaborating closely with the government here. And so that's when we started the discussion with Karim, who's the owner of StreamScan and who's really qualified to handle this type of certification. And we started working with Chris.
I strongly think that you need to get help, wherever it is, for your journey to build all the controls, as well as to make sure that you get the right assessors. Because when you talk to a technical team, you're speaking the same language. So it makes the whole assessment easier; you actually align on everything you're saying.
And also lastly, I would say when you can get help for products like Virtru, it will satisfy a lot of controls because you cannot build everything yourself and different solutions will validate different controls. But if it integrates and if they deliver a solid solution that is trusted, they can even provide you with the list of controls that you know you're satisfying with this. So the help is really going to make the process, which is tedious, long, and complex, easier.
Andrew Lynch: That's great. So it sounds like starting with regionally, you know, StreamScan having supported organizations around you. That's how you made the introduction. And Christopher obviously was extremely helpful in you all achieving success and you guys worked well together. And then, how did maybe Christopher, could you speak to how you then kind of tapped Maya HTT and said, "Hey, we think you're ready"? And how did then Forvis Mazars come into the equation as who you were going to use for your C3PAO?
Christopher Augoustis: Yeah. So we started with Maya HTT before certifications were allowed. So we got to the end or, I would say, 90% of the certification ready. And then that's when the rule dropped that starting in January, there are companies that can start doing your C3PAO audit. That's when we started to reach out to auditors at that time.
I believe we reached out to four auditing companies and only two got back to us. One was Forvis Mazars, and we met with their team—we met Tom, Alex, and everybody on their team. And we were very impressed with what they can do for us, how they can help us, and how flexible they were. The other company that we spoke to was booked up until March and said, "We can't help you at all."
The Forvis Mazars team, it was completely different. It was kind of like, "When do you guys want to get certified?" "Maybe it would be in February." "Okay, we have time maybe the end of February." It was kind of more of a partnership rather than just kind of saying that this is when we have time, take it or leave it.
And then we did the first assessment with them and their team, and it was quite early on. I think at that time, Brendan, it was the fifth audit that we did. So it was quite early. So everybody's kind of new to the process. So we really liked the way that they work. And then we went onto our assessment with them, and it just worked out so well. It was so nice. Everybody's so good on their team. And we figured, why would we want to change that at that point? Their team is super knowledgeable. They know all the controls inside and out. And not just the controls, but the technology. Sometimes you talk to some companies and you mention one technology and they don't understand the workings behind it. So it was easy to go back and forth with Brendan and his team on certain things and iron out controls quicker because their team has that knowledge.
Andrew Lynch: That's great, and kudos to the team again, Brendan. I know that obviously Christopher and Jonathan are appreciative of the flexibility and great work that you did. Well, I think that wraps it up. I just want to thank all of you for joining. I think you all shed some really helpful perspective for those who are trying to work towards what you all have already achieved.
And we'll make sure to include the contact information if anyone would like to reach out to StreamScan or Forvis Mazars to help through their CMMC journey. But thanks again, Christopher, Brendan, and Jonathan, and we'll see you on the next Hash It Out from Virtru.
**Voiceover:** Thanks for listening. If you enjoyed this episode, leave us a five-star review, and don't miss us the next time we Hash It Out. Like, follow, and subscribe to us on YouTube, Spotify, and Apple Podcasts, all linked below.
/Carissa/Events%20and%20Webinars%20Events%20Page%20Card/26-Hash%20It%20Out-Thumbnail-Ep%2034.jpg)
