Fireside Chat Recap
To be a trailblazer, you must be willing to relinquish what you think you know and be flexible and open to new concepts and be willing to work hard to reach the end goal. To be a leader, you must be willing to teach those looking to stand on the same pedestal to be part of the exclusive leadership club. KTL Solutions was lucky enough to guide Redspin on their trailblazing process as they became the first authorized C3PAO on the CMMC-AB’s Market Place.
During our Fireside Chat on July 29, 2021, our goal was to educate the DIB and Candidate C3PAO community on the process and lessons learned from the assessment by DIBCAC on Redspin. I served as moderator for the conversation between Thomas Graham, VP, CISO, and CMMC Provisional Assessor at Redspin and Andrew Lally, Director of Software Development & Technology at KTL Solutions.
CMMC Preparedness Process
As Andrew described, one of the first steps in the process was to determine that scope of the engagement and the assessment environment. Thomas mentioned that the process started well in advance of engaging with KTL for the development of the secure enclave. The process of creating CMMC policies started in June 2020 –a full year in advance of passing the DIBCAC assessment. This allowed Redspin to document revisions and updates to policies over time, which illustrated the maturity aspect of CMMC that Redspin continues today.
An Assessment is a Snapshot
In my more than 20 years of working in cybersecurity, I vouch that this is an important methodology. Preparation and maintenance are key to managing compliance. Just because an assessment has been completed and passed doesn’t mean the process can stop until the next assessment. An assessment is a snapshot showing that you are compliant at the moment. What you do after the fact determines if you stay in compliance.
Secure enclave: Advantages and Disadvantages
Andrew went on to explain some of the advantages and disadvantages of the secure enclave. One key point is that you are able to limit the data sprawl to the enclave until you have needs to poke holes into the enclave. For example, a manufacturing process in a secure data enclave may need to have access to print to the shop floor, so a secured outbound connection would need to be configured, thus increasing the scope of your CMMC requirements.
The biggest disadvantage of the secure enclave is around needing internet access 100% of the time to make it work. In the instances where a company has a need to work and not be able to connect to the internet then the secure enclave route would not be an option. Thomas added to the discussion saying that one of the advantages to Redspin on the secure enclave route was that they were able to scope out the endpoints, making it easier to support a remote workforce.
Thomas went on to explain what happened after the DIBCAC assessment as Redspin finalized the process with the CMMC-AB. It was necessary to be flexible and open to changes based on requests and questions from the CMMC-AB. For Redspin, the initial interview with DIBCAC did not start with security related roles but started with the VP of Marketing, highlighting how important it is for everyone to know they roles and responsibilities prior to the assessment. Thomas also explain the importance of the Responsibility Traceability Matrix and how it assisted in the assessment process.
“If you can’t fly then run, if you can’t run then walk, if you can’t walk then crawl, but whatever you do, you have to keep moving forward.” – Martin Luther King Jr.