CMMC certification could be the key to surviving DOGE cuts! 👀In this episode, I’m joined by Derek Kernus of Aethon Security to discuss the business case for CMMC!This episode was really refreshing to me. Yes, our discussions about deep CMMC topics are important, but learning how to convince your company leadership to make the CMMC investment is even more critical.Here are some takeaways:How CMMC early adopters can shape contracts and limit competitionHow to frame the CMMC investment to internal leadershipThe impending CMMC bottleneck of doom 👻What mock assessments are and how they can help you prepareWhy choosing the wrong MSP could actually kill your chances at certificationAfter being impacted by DOGE myself, I've put a lot of thought into how small businesses will be impacted by DOGE + CMMC.Most of my concern is for SMBs that haven't started preparing for CMMC. That costs a lot of money, and if SMBs lose revenue due to DOGE cuts before they prepare for CMMC, I'm not sure they'll be able to survive in the defense contracting space.But there is great opportunity for CMMC early adopters to be part a small cadre of CMMC certified companies and operate in a much smaller competitive space.It turns out CMMC actually could be your business's savior. Who knew!?!I really enjoyed this conversation! What were your biggest takeaways? Let me know in the comments.Follow Derek on LinkedIn: https://www.linkedin.com/in/derekkernus/Aethon Security Website: https://www.aethonsecurity.com/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-10&utm_campaign=courses#cmmc
--------
52:53
--------
52:53
The Compliance Playbook to Cybersecurity
"Compliance is the security referee - frameworks are the playbooks."In this episode, I’m joined by Tim Golden, Founder of Compliance Scorecard, to unpack the misunderstood, and mission-critical world of cyber GRC.Tim shares what he’s learned from decades of hands-on work - from implementing NIST frameworks before “GRC” was even a term, to helping teams understand why writing policies is just as important as patching vulnerabilities.Here are some highlights from the episode:What GRC actually means - and why governance is the most misunderstood partWhy people who say "compliance isn't security" are missing the pointHow explaining the "why" of cybersecurity controls aids in acceptanceWhy data retention policies can protect you from major legal headachesAnd yes… a story about how Tim accidentally ransomwared himself 🙃This is a must-listen for anyone navigating compliance, cybersecurity, or just trying to understand how it all fits together!I really enjoyed this conversation! What were your biggest takeaways? Let me know in the comments.Follow Tim on LinkedIn: https://www.linkedin.com/in/timothygolden/Compliance Scorecard Website: https://compliancescorecard.com/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e9&utm_campaign=courses#cybersecurity
--------
31:43
--------
31:43
How HITRUST Fixes What’s Broken in Cybersecurity Compliance
Cybersecurity frameworks can learn a lot from HITRUST.In this episode, Ryan Patrick of HITRUST explains how HITRUST approaches the assurance problem, from centralizing the certification process to frequent updates to the control sets based on threat data.I barely knew anything about HITRUST going in, but it’s clear they’re tackling the cybersecurity assurance problem in a radically different way.Here’s what stood out to me:HITRUST reviews its security controls quarterly based on threat intel and control effectivenessThere are three distinct assessment levels (like CMMC)HITRUST itself issues a certification after the 3rd party assessment and running the assessment results through two stages of QAEvery 3rd assessment gets reviewed. Every. Single. One.The centralized approach of HITRUST allows them to provide feedback to its assessment community after each and every assessment which results in assessments that are more consistent and higher quality.HITRUST certified organizations are contractually required to report incidents which then allows them to evaluate the effectiveness of their controls.I personally think that commercial cybersecurity frameworks should take a look at HITRUST.What were your biggest takeaways? Let me know in the comments.Follow Ryan on LinkedIn: https://www.linkedin.com/in/ryan-patrick-3699117a/HITRUST Website: https://hitrustalliance.net/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e8&utm_campaign=courses#hitrust
--------
55:46
--------
55:46
CUI Masterclass with Ryan Bonner
"Outread the others" - that's how Ryan Bonner mastered CUI.If you're confused about Controlled Unclassified Information (CUI) - you're not alone. Many defense contractors (not to mention DoD themselves) misunderstand what is CUI, where it comes from, and how to handle it.In this episode, Ryan Bonner, CEO of DEFCERT, gives a masterclass in understanding CUI from the actual laws and regulations - not just hearsay.👉 Here are the highlights:What CUI really is - and what it’s notHow to use the NARA and DoD CUI registriesThe proprietary paradoxHow to decontrol CUIThe difference between FCI and CUIDoD memo on determining CMMC levels This is essential listening for anyone working with the defense industrial base - primes, subs, and especially DoD program managers who want to avoid missteps.What were your biggest takeaways? Let me know in the comments.Follow Ryan on LinkedIn: https://www.linkedin.com/in/rybonner/DEFCERT Website: https://defcert.com/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e7&utm_campaign=courses#cui #cmmc
--------
51:04
--------
51:04
Small Business Achieves CMMC Level 2 Certification: Reynolds Construction's DIY Success Story
HR guy leads his company to CMMC level 2 certification! 👀In this episode I’m joined by Eric Fields of Reynolds Construction to learn how he led his business to CMMC level 2 certification!I call him "Eric the Great" - you'll see why in a moment.Eric's background was in HR and business operations. He had no background in IT or cybersecurity.They did it in-house - with just two people and smart choices.👉 Here’s how they did it:CMMC training from GRC AcademyResources and advisory services from Kieri SolutionsCCP & CCA trainingMeticulous documentationThis episode is very special to me - Eric's intro to CMMC was through GRC Academy more than 2 years ago, and he was actually the second person to leave a 5-star review on my CMMC training for defense contractors: https://grcacademy.io/course-reviews/cmmc-overview-training-eric-f-20230127/This episode is a great reminder that small businesses can achieve CMMC certification without breaking the bank.That said, time is no longer a luxury. With CMMC phasing in this summer, small businesses need to move fast - and partnering with a CMMC-focused MSP can help accelerate the process.What were your biggest takeaways? Feel free to celebrate with "Eric the Great" in the comments!Follow Eric on LinkedIn: https://www.linkedin.com/in/ericfields6/Reynolds Construction Website: https://www.reynoldscon.com/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e6&utm_campaign=courses#cmmc #nist #cybersecurity
Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform for GRC professionals, executives, and anyone else who wants to increase their knowledge in the GRC space!