DoD CMMC Cyber Standard Released Today

The Department of Defense Cybersecurity Maturity Model Certification (CMMC) was released today (Version 1.0), and is available on DoD’s OSD website here.

This is a cyber security standard, with 5 maturity levels, created in partnership between the SEI Institute and the DoD.

The DoD has announced that future RFIs and RFPs, will require that prime contractors and subcontractors/vendors, will need to be externally appraised (audited and certified) at a certain CMMC level to be able to bid on DoD contracts.

They are planning on ‘tagging’ a handful of RFIs in the June 2020 timeframe and a handful of RFPs in the Fall 2020 timeframe with the CMMC requirement, and then phasing in the requirement across DoD contracts over the next 5 years.  DoD has said that no existing contracts will get CMMC added to it — instead DoD will add CMMC to contracts as they come up for re-compete.


This morning, Ellen M. Lord, undersecretary of defense for acquisition and sustainment; Kevin Fahey, assistant secretary of defense for acquisition; and Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber, conduct a news conference on cyber security standards for government acquisition at the Pentagon.  The video is available online here.  The 3 slides presented are shown below.




2019 Gartner Security and Risk Summit

I recently went to the 2019 Gartner Security and Risk Summit in National Harbor (outside of DC).  This was my second Gartner conference, and so far they’re 2 for 2 at delivering high-quality, impactful, intense 5 day conferences.  The event was jam-packed with great sessions, roundtables, workshops, and keynotes.

I can tell a conference is going to be great when I try to build my agenda before the event and I want to pick 2-3 sessions for many of the time slots.  Fortunately Gartner gives attendees of their events access to the slides and audio of the conference, so you can review what you missed.

I was also very impressed at Gartner’s midsize (companies with $50 million to $1 billion in annual revenue) sessions, where presentations, roundtables, and workshops where leaders from midsize companies could connect, collaborate, (and commiserate sometimes) on best practices related to their size of organization.

My major takeaways (and it’s hard to summarize) were:

  1. Identity is the new perimeter (not the network, not the device)
    • You hear people often now talking about “zero trust networks” (the idea that instead of thinking of the perimeter as your LAN/VPN that you protect and you trust people inside your network, you should instead focus on ensuring your identity and access management (IAM) approach is solid and build security around identify, using things like MFA and risk-based access management)
    • This also means that identity is a critical linchpin to security instead of the idea that devices/users inside a network are trusted devices/users
    • There was also a key point, from Neil MacDonald, here that non-human entities (e.g. DevOps pipelines) need to have unique identities that they authenticate against securely, so they don’t become a huge security hole in your infrastructure
  2. Communicate Risk with Business Perspective: It’s critical to communicate risk to executives/non-IT leaders/board in a way that actually articulates/visualizes risk and how cyber risk affects the business’ value chain/business model (and not talking about security technology at all)
    • It’s important to strike the right balance between quantifying risk and impact (the board demands numbers), and the fact that cybersecurity risk and impact isn’t a statistically mature field, so sometimes qualitative assessments are the only reasonable way to communicate risk (numbers can be overly precise when we don’t have a solid foundation to build them on) — there was a great session where four Gartner analysts debated this intensely, 2-on-2
  3. Information Security fundamentals are critical to do well, and organizations still don’t do them well – organizations spend too much energy on new projects/technologies (shiny new objects) instead of refining the fundamentals they do (e.g. log analysis, change management, asset management, vulnerability management)
  4. Select one primary security framework to orient your Information Security Program around (e.g. NIST CSF (which is dominating the survey data for US and international companies as their standard), ISO 27001) – more than one primary framework leads to confusion, and none means you either have no foundation or you’re trying to reinvent a wheel that industry is rapidly refining
  5. Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) programs are very hard to run well, both technically and from a privacy compliance standpoint — individual state and international privacy legislation requirements make this very complex

If you want to hear more, check out some of the keynotes from the Gartner YouTube Channel; or check out other’s people’s perspective on the event, check out the Tweets from 2019 Gartner Security Summit or other blog posts like this one.

Shadow IT should be a Flashlight

Microsoft recently posted 3 ways to outsmart shadow IT, which talks some technology ways that CIOs can fight against Shadow IT (when employees use technologies not provided/controlled by the company to do their work, such as Dropbox or Gmail).

While security of company information is incredibly important, and Shadow IT must be controlled; it’s important to think of Shadow IT as not just something the Office of the CIO must fight against — Shadow IT should also illuminate areas where a company’s IT infrastructure isn’t supporting the needs of its employees well.

The IT Department should prioritize areas of frequent Shadow IT higher in their backlog to provide more capability — solve the root problem, not the symptoms

If employees frequently resort to shadow IT for project planning, or file transfer, or real-time document collaboration; the CIO team should consider not just email blasts, training, and security monitoring; they should also be considering getting additional capabilities out to their employees in that domain.  If it’s not obvious why a type of Shadow IT is persistent, think about asking ‘Why?’ five times to dig into the real reason people keeping trying to circumvent company tools.

How Opinionated are your Tools?

Organizations must intentionally determine how opinionated their collaboration tools (business systems) should be, to align with their culture and business model. Opinionated tools align well with top-down organizational cultures, while non-opinionated tools align well with decentralized, self-organizing cultures.

Organizations struggle at each extreme:

  1. Top-down organizations struggle to scale effectively, creating bottlenecks and issues when decisions constantly require senior leader approvals.  People talk about how our world is more volatile and faster moving (see Half of S&P 500 Companies will be Replaced in next 10 years), and that companies need to be more Agile.  Agility is hard when you need 3 approval signatures to make any changes. scaled-frameworks.PNG
  2. Self-organized teams struggle to stay coordinated, as each team can “wander off” from any centralized approach to things like enterprise priorities, technology architecture, processes.  They struggle to stay aligned with each other, which is why we see so many Scaled Agile frameworks (see icon mosaic to the right) trying to figure out how to keep self-organizing teams aligned with each other.  Self-organizing teams also struggle to stay aligned across an organization related to things like Enterprise Architecture (consistent technologies) and Business Architecture (consistent processes).

Organizations need to find the right balance between these two extremes for their entire organizational culture, and how they select, configure, and maintain tools to align with this approach.  The figure below shows the spectrum I envision, where a company moves the triangle to find the spot they want their organization to be, and then aligns tools with that spot on the spectrum.

opinionated tools spectrum.PNG

Technologies can come out of the box very opinionated (think about a tool like the TurboTax wizard interface, that walks users through a workflow it decides without asking how you want to use the tool) or it can be very flexible (think about Microsoft Word — you can write your letter first, and then format it; or you can setup the page size, orientation, and header before you write your letter).

Technologies can also be configured to be very opinionated — JIRA as an example is an issue/ticket tracking system that has a variety of Agile planning/management capabilities.  Out of the box, the tool comes with a few standard ticket types and workflows, but you could let each team in your organization configure their own ticket types, workflows; leaving all the permissions wide open for the organization.  However, most organizations make JIRA “more opinionated” before they deploy it, only letting a few select leaders/administrators make changes to the system.

On the opinionated this spectrum, I see organizations selecting and configuring tools with a heavy focus on ensuring employees use a tool exactly the way the organization’s senior leaders want them to be used (highly opinionated).   Allan Kelly recently write a great post about how dangerous this power centralization can become for organizations.

On the non-opinionated side, organizations struggle to stay cohesive.  They can become organizations of individual teams or almost a group of consultants who are trying to accomplish things; but can’t leverage the scale of their organization to accomplish great things.  This can devolve into anarchy, where teams don’t help each other.  Think about a team who can’t share talent with other teams, because they’re using different processes or technologies.  Or a leader who isn’t able to report on progress because each of her teams is using their project tracking tool completely differently.

Organizations, and the Office of the CIO organizations that should be enabling them, need find the balance, like a train station where the rules of engagement are clear (Where do I get a ticket? Where do I get on the train? Where do I get food?), but different people can get to their trains in different ways.  Organizations don’t have to be the wild west with teams doing whatever they want (think about a SharePoint site with no governance where you can’t find anything) and organizations don’t need to be top-down culture where no work gets done because everyone has given up on requesting approvals and resigns themselves to the slow-moving status-quo.

Using JIRA to Scale your Business

I recently spoke at the 2017 Capability Counts conference, put on by the CMMI Institute. David Anderson Keynote 2017.PNG It’s an interesting event that isn’t focused just on CMMI maturity models — instead it’s a conference where a few hundred people get together to discuss process improvement, Agile, software engineering processes, and a variety of other related topics.

The keynote (shown in the picture above) is David Anderson of LeanKanban University talking about the core concepts of Kanban, which go far beyond most people’s understanding of 3 column boards.

I spoke on using Atlassian’s JIRA product to help an organize scale — sharing some best practices/recommendations on how to use a tool like JIRA to get information out of email, hallway conversations, and meetings and into a system where work can be clarified, prioritized and tracked.

How to Pick IT Systems for your Small Business

If you’re the CIO, Director of Technology, IT Person, or Only Person (Solopreneur) at your organization, here are 5 areas of questions areas to consider when determining if a specific IT system or process would align with your small company’s needs:

  1. Alignment:  Does this system align with your business model (how you do business) and your current infrastructure?
  2. Lock In:  Would this system lock you (Vendor lock-in) into this vendor or system long-term?  Could you export your data and move to another system as you grow?
  3. Investment-worthy:  Is this system worth the investment of money and time (your time, your employees’ time, your customers’ time?
  4. Get Traction:  Would this system get traction with your employees and/or customers?  Does it align with how you do business, or would you spend your time forcing people to use it?
  5. No Huge Risks:  Are there any significant risks (red flags, deal-breakers) that should drive you away from this system? (e.g. cyber security, loss or productivity, removes future options you want)


Shameless plug:  If you’re interested in learning more about setting up the technology for your company, or future startup, check out this free class I’m teaching next week (Thursday, Sept 10, 2015), sponsored by Capitol Post, in Old Town Alexandria:  Technology 101 for Entrepreneurs (How to Choose to the Best Systems for your Business).

Small Business Cyber Security 101

Way back in 2009, NIST released a 20 page document that is a great set of fundamental
recommendations for small business cyber/information security.

There’s certainly many more things you should be doing, but it’s a great place to start if you’re an IT Director or CIO at a small business and you’re not sure what you should be doing to secure your company’s information and systems.

There’s plenty of ways to spend money on shiny cyber security software and devices, but this is a great foundation to build your company’s defenses on before start buying Intrusion Detection Systems or hiring Penetration Testers or Social Engineers.

Fire and Forget: Difference Between A Vice President And A Janitor

The military classifies some missiles as “fire and forget” because they don’t need to be missilesmonitored after they are fired.  Great leaders are like this — their boss can give them an objective and know they don’t need to follow up over and over to ensure success.

This concept is incredibly important in your career as take on more and more responsibility.  Junior team members are expected to work hard and be guided by leaders to support the team.  However, there is an inflection point where the the value people add to the organization separates based on those who work hard and those who will ensure success.  It’s great to be someone who works hard to support the team, but it’s a whole different level of value to an organization when someone can be trusted to accomplish an objective without needing oversight.  This doesn’t mean you shouldn’t check in with your boss, or ask for advice or mentorship, or request in-progress reviews (IPRs) or other meetings to touch base — it means that your boss sees you as a person they can “fire and forget”:

This type of high-value leader doesn’t wait for someone to check on them if they have questions or obstacles (they analyze and solve them, or they ask for help, or they bring recommendations to someone for validation)

Business Insider wrote a post several years ago about a related quote by Steve Jobs:  Steve jobs explained that the difference between a janitor and a Vice President is that a janitor can have excuses for not getting their work done, but a VP is responsible to succeed, regardless of obstacles.

“Somewhere between the janitor and the CEO, reasons stop mattering,” says Jobs, adding, that Rubicon is “crossed when you become a VP.”

In other words, you have no excuse for failure. You are now responsible for any mistakes that happen, and it doesn’t matter what you say.

Invest time and energy and become a leader that people can trust to get things done when you say you will, without oversight or reminders.

Affordable Video Conferencing

As a small business CIO, video conferencing has traditionally been split into 2 extremes:

  1. Expensive solutions of enterprise vendors like Polycom and Cisco
  2. Consumer experience of using the webcam in your laptop with something like Skype or Google Hangouts

I’m excited to see that some technologies are starting to popup in between these — things like:

I’d like to see solutions that better integrate with Microsoft (MS) Exchange/Outlook — perhaps Lync will add integrated audio conferencing and the ability to run on Chrome OS.  Chromebox for Meetings looks like a great solution, but small businesses who use Microsoft Exchange would struggle to use Chromebox for Meetings without having users connect with their personal gmail accounts, which isn’t a professional experience.

The problem is that Microsoft and Google are trying to increase the value of their ecosystem, so integration isn’t a top priority.