April 29, 2021


John Laffey, Program Manager at Perry Johnson Registrars, Inc. discusses the cornerstones of an information security management system from the perspective of a management system auditor. 

  • Context: the boundaries, the scope, the data, the people, the systems, and the stakeholders, 
  • Leadership: driving the entire process, continuing to champion it and making sure resources are available.
  • Planning: documented processes, risk assessment and risk management
    (Change = risk)
  • Support: budget, continuing training competencies, determining what is the required competencies, and then ensuring that those folks are meeting those.
  • Operation: Putting practices into action, verifying that you’re doing what you say you do.
  • Performance Evaluation“It’s kind of the day to day, month to month, year to year maintenance of ensuring that things are staying on the rails and that nothing is slipping.”.
  • Improvement: Reaching expected, measurable outcomes and asking what can be improved in our organization

Not only are these valuable clauses in terms of passing your audit, but they’re valuable in terms of reducing your organization’s risk. This podcast can help you understand how your current management system can benefit you with your CMMC efforts.

To ensure you never miss an episode, subscribe to the show on Apple Podcasts, Spotify, our website or wherever you get your podcasts.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there and welcome to yet another episode of the Virtual CISO Podcast. With you today is John Verry as always and with me as well is Andrea VanSeveren. Good morning, Andrea.

Andrea VanSeveren (00:36):

Good morning. Hey, John. Hey, everyone.

John Verry (00:38):

Even though it’s 4:18 in the afternoon-

Andrea VanSeveren (00:41):

Well, nobody knew that.

John Verry (00:41):

… Now they do.

Andrea VanSeveren (00:41):

Good luck with that.

John Verry (00:43):

Andrea, you know what? We talk about transparency is a core value of pivot [inaudible 00:00:49]. So what’d you think of my conversation with John Laffey?

Andrea VanSeveren (00:54):

Yeah, so I thought it was really interesting. I don’t think a lot of folks realize that their ISO 9001 management system can actually help prepare them and simplify for CMMC compliance down the line.

John Verry (01:06):

Yeah, and so the reason why I was excited to have John on the episode is that he is a different individual, a unique individual because he’s both an ISO 27001 and an ISO 9001 auditor. So 9001 is a quality management system and ISO 27001 is an information security management system. And what’s interesting about what ISO did in about 2015 is they normalize the management system. So the logical constructs, the clauses of the management system are identical across each of them. It’s all about understanding the context of what you’re trying to accomplish and understanding risk and properly resourcing and ensuring the effectiveness of the system and conducting internal audits and continuous improvement.

John Verry (01:50):

So once you’ve understood how to run an ISO 9001 management system, logically ISO 27001 works the same way except the focus in one case is quality and the focus on the other one is ISO 27001. So the idea for the discussion really to get John on was that we’ve had instances where 9001, ISO 9001 subject matter experts have actually been great at managing ISO 27001 information security management systems. If you take the next logical step, ISO 27001 is highly analogous to CMMC hence in my brain, someone who is a 9001 subject matter experts should also be very good at managing a CMMC system. So that was the idea of the podcast and I hope that came across as you were listening to it.

Andrea VanSeveren (02:40):

Yeah. Yeah, I think so. I mean, so really if you’re planning to do business in the DIB, you’ve already made a substantial 9001 or 27001 investment, John can really help you connect the dots and understanding how your current management system can help you down the line with the CMMC efforts.

John Verry (02:58):

I like the fact that you didn’t differentiate John’s. So-

Andrea VanSeveren (03:01):

Yes, well, John is correct. That’s the answer.

John Verry (03:07):

… I thought 42 is the answer to all questions and 10 cents if anybody knows that particular reference. All right, with no further ado, let’s get to the episode. John, good afternoon, sir. Thanks for joining today.

John Laffey (03:21):

Yeah, thanks for having me, John. How are you?

John Verry (03:23):

I’m good. I’m good. So always like to start out simple. So tell us about who you are and what is it that you do every day.

John Laffey (03:30):

Yeah, absolutely. I’m John Laffey. I am the ISO 27001 and ISO 20000 Program Manager for Perry Johnson, which basically entails working with new clients, bringing them on board. In addition to that, I’m a lead auditor for both of those standards as well as ISO 9001. So I spend a lot of time doing assessments and audits.

John Verry (03:50):

Excellent. Excellent, thank you. And that’s a… And anyone… Well, that explains really why we asked you to come on. We’re in a really interesting place now with ISO 9001 organizations in the defense industrial base suddenly need to move towards something called CMMC. So I thought your expertise in both CMMC, well, excuse me, information security through ISO 27001 and ISO 20000 to some extent and 9001 kind of situated perfectly to have this conversation.

John Laffey (04:21):

Yeah, absolutely. I think it’s really interesting the fact that 9001 does play a role in this. But I think if you look at CMMC, it starts off at level one, which is the basic hygiene of folks just having to have practices or controls in place. They just have to demonstrate they’re doing things. They don’t necessarily have to have a documented plan and resource and all those things. However, when you get up to levels two and three, now you do need to have policies in place and documents about how these different practices are being implemented and plans on how you’re measuring and improving these things. And I think that’s really where 9001 ties in because 9001 being a management system, you need to have defined processes that are repeatable, that are measurable, that you can improve upon, that are driving improvement. And I think that’s where a lot of the bleed over with CMMC, especially when you get to levels two and three is going to come into play.

John Verry (05:14):

Yeah, and that’s exactly the thought process. So when you and I started chatting about this and said, I thought this would be a cool topic of conversation. I don’t have the 9001 background and expertise that you do, but I’m an ISO 27001 certified lead auditor. And I’ve been doing ISO for 15 years. And I really understand the ISO management system and in, what? Was it 2015 or so, they normalize the management system between 9001 and 27001. And logically to me, then I’ll be curious if you agree with me, logically to me, if the management systems are the same and ISO 27001 is a kin to CMMC, then 9001s management system construct applies directly to CMMC.

John Laffey (05:57):

Absolutely, I think that’s a perfectly logical connection to make. And with your familiarity with 27001, the management system elements, defining scopes to developing policies, measuring things, improving things to drive improvement, using those measureables you’ve defined and then obviously all the controls in 27001, there’s a lot of direct correlation. I mean, even down to the controls themselves, there’s a lot of overlap between 27001 and CMMC. But I think where 9001 will really come into play, especially maybe with some smaller companies who don’t have any experience with having management systems in place, it’s just getting comfortable actually sitting down and doing some of that strategic thinking documenting where you’re creating plans and policies and going through the process of really understanding what you do now and if it’s going to meet what you need to do for, let’s say CMMC in this case.

John Verry (06:50):

Yeah, but I mean, if you think about the defense industrial base and what the number they give you is 350,000 or something of that nature. I mean, a significant percentage of those organizations are kind of in the manufacturing space of some sort. A significant percentage of those have 9001. Now I know that PJR is one of the, correct if I’m wrong, but you guys are one of the leading certification bodies in the world in terms of the numbers of 9001 certifications that you guys give out, right?

John Laffey (07:19):

Yeah, absolutely.

John Verry (07:20):

[inaudible 00:07:20] in the defense industrial base defense supply chain?

John Laffey (07:23):

Yeah, absolutely. Yeah.

John Verry (07:24):

Yeah, so let’s actually walk through that. So the major clauses of the ISMS, we’ve got the context, we’ve got leadership, planning support, operation performance, evaluation improvement. That’s the same whether it’s ISO 27001 or whether it’s 9001. So let’s talk about that. So let’s talk about context and let’s talk about how the context applies in a CMMC world.

John Laffey (07:50):

Yeah, so I think this is actually going to be a key moment in the path to CMMC certification for a lot of organizations because the soaping of the system is critical as far as really understanding what information you handle and what systems that information lives on. Because for instance, for a manufacturing company, they may deal with some of that information, but it may be in a very limited manner. There may be, maybe there’s only one server where that information lives or a small subset of people who handle that information. So when you talk about context, it’s really understanding what your organization does, who the interested stakeholders are in your organization and what their information security requirements are for you. But with CMMC, that’s going to be limited to either CUI if you’re handling it or Federal Contract Information or FCI. So it’s really those specific types of information that they’re concerned about protecting and having all of these various practices in place.

John Verry (08:47):

Yeah, one of the things that I always say to people is that doing an excellent scoping exercises sort of making sure that we have the ladder against the right wall before we start climbing it.

John Laffey (08:56):

Yeah, exactly. It’s a great way to plan.

John Verry (08:59):

And ahead. And I think that’s what you’re referring to there. So let’s show that down just a bit. So you talked about FCI. So understand, excuse me, CUI. So understanding how that CUI especially flows and FCI for that matter both through your organization is critical, right?

John Laffey (09:12):

Yes.

John Verry (09:13):

So to me, I look at something like data flow diagramming is an excellent way to do that because really, like you said, I use the payment card industry terms, store, process, transit, which kind of holds true. So any system that stores, processes or transit FCI or CUI belongs in that enclave. And I think a lot of people do things, the way they do things currently might be the current scope, but the other advantage of scoping well is you know where you are and then you can look at that before you actually start the initiative and say, is this really the most efficient end state, right?

John Laffey (09:45):

Absolutely.

John Verry (09:46):

Because if you’ve got 100 people and really only five of them need access to the CUI, but you’ve got all 100 having access, suddenly all of those obligations, those 130 practices apply to a much broader cross section of your organization systems than it would otherwise.

John Laffey (10:03):

Yeah, absolutely. And I mean, at a much larger cost and time and other resources to implement those practices. So that’s a good analogy. Making sure you have the ladder against the right wall before you start climbing.

John Verry (10:12):

Right.

John Laffey (10:13):

It’s going to be critical.

John Verry (10:14):

Yeah, the other one too that I see that when we chat with people, I don’t know if you see this as well is sometimes the CUI is beholden to other standards. So it might be ITIL or it might be no foreign or no REL or even sometimes the FCI can actually become CUI in and of itself if there’s enough technical detail to them.

John Laffey (10:34):

Sure. Yeah, absolutely. So, and I mean, ideally all of these organizations should definitely be aware if they’re handling CUI and a lot of these requirements in CMMC have been in place in the D-file for awhile. So ideally a lot of these things would already be implemented. But yeah, it’s going to be critical that you understand the specific nature of the FCI or CUI because as you mentioned, there’s a CUI registry. Depending on the classification of that CUI, there could be additional requirements above and beyond just what’s documented in the CMMC standard.

John Verry (11:09):

Right, and then the last thing I think about context that I think is something people sometimes overlook as the third parties.

John Laffey (11:16):

Absolutely, that’s going to drive a ton of what you need to do, what are the requirements in place with your third party? What are the contractual requirements that you’ve agreed to? You need to have a really good understanding again, of exactly what type of information you’re holding and what requirements in terms of security you’re beholden to as a result of that.

John Verry (11:37):

Yeah, and also the flow down, your responsibility to flow down requirements under 70,12, 19, 20 or 21.

John Laffey (11:45):

Right. Exactly, and I think it’s going to be really interesting just in some preliminary talks that I’ve had with existing clients of ours for 9001, let’s say. A lot of them aren’t real sure if they have CUI or not, which I don’t think it’s going to be unique because there are so many smaller companies in the DIB and a lot of them are just small manufacturing houses. But yeah, it’s going to be critical at the beginning going through the process to talk with your contracting officer. And if you’re not sure, just say. Are you giving a CUI or are we giving you back CUI? And there’s special requirements around that. But it’s definitely going to be a place for you to start, like you mentioned, with the data mapping. You need to understand what data you have and how you get it and what you do with it so you can then identify the subsequent systems and people that are handling it and start to build a coherent scope.

John Verry (12:38):

And what you just said I think is really important and it is one of the things we see people don’t fully understand either is that it’s not only the information that you’re receiving, but it’s the information you generate. Can be CUI as well.

John Laffey (12:49):

Right.

John Verry (12:50):

And I think people like… They forget that.

John Laffey (12:53):

Yeah, absolutely. Yeah, and so a lot of what the DOD wants from its contractors is going to end up being CUI for a lot of these contracts. So that’s actually what you’re being hired to create in a lot of these cases. So again, and I think this is a big motivator for them making this a requirement with CMMC is to make people do this due diligence. So they I think had hoped was already happening, but to really sit back and understand what are we handling, what are the potential risks along with how we’re handling, storing and distributing this information.

John Laffey (13:24):

And there’s been countless examples of what can happen when this information does get leaked and with other nations and potentially hustle threats being able to utilize our military research and streamline some things to produce their own competing products, let’s say. But yeah, I think this is just kind of everybody coming to the table and saying, look, we need to get a handle on this stuff and it’s got to start here. And you really need to understand just set the baseline, what do you have, what are you giving back to the government, how are you keeping it safe.

John Verry (13:58):

Yeah, and I think for the 9001 folks that are listening, this context that you’re familiar with, Clause 4 is really the core or the core initial part of an SSP document. So the system security plan is one of the core documents of CMMC or NIST SP 800-171 conformance.

John Laffey (14:18):

Absolutely.

John Verry (14:19):

And that first part of the document aligns perfectly with that context. It’s the boundaries, it’s the scope, it’s the data, it’s the people, it’s the systems, it’s the stakeholders, right?

John Laffey (14:28):

Yeah, absolutely. So-

John Verry (14:30):

But you had the divine for your 9001. Now you’re just defining it again using the same exact process ideally for CMMC.

John Laffey (14:38):

Yeah, absolutely. A lot of that work is already going to be, excuse me, already going to be done for you because as you mentioned, it is the exact type of information that you need to quantify and understand for 9001 and that context requirement.

John Verry (14:51):

Yeah, so we took a long time for context and I actually think that that is really appropriate because I would argue context is the single most important thing to get right and then everything flows logically from that. So talk about leadership is the next clause. What are we covering there and how does that relate to CMMC?

John Laffey (15:11):

So I think leadership, the main thing, what we’re looking for is that at the top level, there’s buy-in, whether it be with 9001 in a management system or whether it be with the CMMC model because in practice what I see as an auditor when I go to audit an organization and it’s clear that they’ve hired a quality manager and it’s one person and it is their responsibility to completely implement and maintain the quality management system, they typically… It’s a little bit tougher. You need at least at the top level a message to the organization at large of what we’re doing, why it’s important, how it’s going to help us, what the expectations are really driving the entire process and I’m continuing to champion it making sure resources are available. I mean, there’s a good chance certain things might need to be purchased or individuals may need to be hired and they need to be on board with all of it. And they should also have eyes on it because it’s a great mechanism to understand how your organization’s performing. A lot of what happens with the quality management system is you review different process indicators and how things are performing and you use it to drive change. So I think it’s absolutely critical that top leadership is involved.

John Verry (16:21):

Yeah. Yeah, I mean, that’s… Without, you know what we call tone at the top, you have nothing, right?

John Laffey (16:27):

Mm-hmm (affirmative).

John Verry (16:27):

Because if you’re a quality manager or you’re an information security director, if the boss is saying, hey, I’m not going to use strong passwords or I’m not going to let my system be monitored, I’m allowed to do something. That attitude flows down to everybody. So yeah-

John Laffey (16:43):

That’s true.

John Verry (16:43):

… I think that’s well said. Next clause is planning, how does planning tie in to CMMC?

John Laffey (16:51):

So again, as I mentioned before, I think planning is going to be critical once you start getting up to those level two and level three maturity level certifications because that’s the point when you actually now have to sit down and actually document policies that say what you’re going to do. And you also have to document your approach for implementing those practices or controls. There’s a practice that requires that all users are uniquely identified on your system. Okay, at level one, you can just show someone this we’re doing it and that might be okay. But when you get more into the higher maternity levels, there should be a documented process that says, this is exactly how we do it. A ticket is opened up in this system. It must be approved by this person, whatever the case may be. And it shouldn’t be something that can be repeatable. New employees can be trained on it. There’s a single source of information to go to understand how we do these things to make sure that there’s no deviations and there’s nothing that falls through the cracks.

John Verry (17:47):

Yeah, and I think the other big part of planning is that concept of risk assessment and risk management, right?

John Laffey (17:53):

Absolutely. Yeah, from a 9000 and 27001 perspective because it’s a 9001 as well. Now risk management, risk-based thinking. If you’re going to make a change, if you’re going to bring on a new supplier, if you’re going to integrate with a new cloud-based platform, really going through and understanding all the potential impacts that could have and the information security risks or just business risks associated with potential things coming to pass, it’s a cornerstone for information security as risk assessments 27001 drives everything. And it’s a requirement in CMMC as well. So yeah.

John Verry (18:30):

I like what you said because I don’t think people think of it that way. So once you’ve kind of established the context and let’s say you’ve perfectly implemented all of the practices or controls in an environment to mitigate risks to perfect level, you’re in this static position and then change equals risk. So I liked the way that you said that. Every time something changes, you signed a new contract, you hire a new person, you bring in a new system, you migrate to a different cloud service provider, it needs to trigger that thought process, right?

John Laffey (19:01):

Absolutely, interesting, it’s one of the things I typically see with my 27001 clients. There’s usually a learning curve because they don’t have their first year or two and they’ve done a great initial risk assessment. And like you mentioned, things kind of become static. Well, let’s say company X now went from having on-premise servers, their clients are loading up the software, they’re creating on their own on-premise servers and now they want to do a cloud-based offering and they’re going to have Azure or AWS in the fold. And it’s a complete paradigm shift and there’s no new risks identified on the risk assessment. I’ve seen this before. So it’s a conversation we have and eyes are opened. And yeah, you’re absolutely right. And they get back to their same risk assessment process with the new risks and what they need to do to mitigate those. But yeah, it’s got to be something that’s very much a part of any change. And you gave great examples. It could be hiring new resources, new suppliers, new product lines, new office working remotely-

John Verry (20:00):

Yeah. Yeah-

John Laffey (20:01):

… during quarantine, anything.

John Verry (20:02):

… Change equals risk.

John Laffey (20:03):

Yeah.

John Verry (20:03):

Yeah, I’m working remotely especially. This year has been a big year for that because like you went from so many of our controls were proximity location reliant. Outgoing out through a firewall or the controlled treatment heading out to the internet suddenly that no longer existed or hey, all systems were updated when they were sitting on the land. Well, they hadn’t been on the land. So now we have no way of updating our systems. Yeah.

John Laffey (20:30):

Yeah. Yeah, definitely no doubt.

John Verry (20:30):

It’s been a fun year for that. So we talked about that planning. So that really gets into that concept of that risk assessment. I think that gets into the concept, like you said, of beginning to document those practices. Things like poems coming out of the risk treatments and things of that nature, correct?

John Laffey (20:47):

Yeah, absolutely. But I do want to know because I did go through the provisional assessor training, that was made clear there that poems are fine, but at the actual CMMC assessment, they won’t be accepted as passing a control by having a poem in place. All the controls actually have to be implemented. But yes, absolutely. Those would be the kind of artifacts that would come out of those. Hey, this is where we found our gap or our risk. This is how we’re going to fix it. And then obviously just following through on that poem.

John Verry (21:12):

Yeah, it’s funny. A lot of times when we’re doing an internal audit, we’ll ask to see the information security budget. People are like, “Why do you want to see the budget?” Because we’ll look and see what was budgeted. And then we’ll look at the risk assessment and say, hey, are you spending money to mitigate a new risk or not? Right?

John Laffey (21:27):

Sure.

John Verry (21:27):

I mean… And if somebody is spending $10,000 on a device to identify IOT devices on the network, but why isn’t that on the risk assessment?

John Laffey (21:37):

Right. Yeah, absolutely. Absolutely.

John Verry (21:38):

All right, cool. So we talked about planning. The next clause is support. What is support?

John Laffey (21:44):

Well, support, when I look at it from the management system point of view, I typically thinking about training competencies, determining what is the required competencies and then ensuring that those folks are meeting those. Obviously with information security, you’re also looking at an ongoing training to build a culture of security awareness. And I think there’s a lot of different approaches organizations can take, but it should really be something that’s continuous. It’s not just you were hired and part of your week long whirlwind orientation meetings, they talked about locking your computer or using a strong password. And it shouldn’t be something that’s happening on a regular basis. And again, obviously there’s practices related to that and CMMC as well, but that’s mostly what I think of in terms of support.

John Verry (22:31):

Yeah, I think the other one that I think of as well is budget, right?

John Laffey (22:34):

Sure.

John Verry (22:35):

… And financing because I mean, if all of the things that you talked about require financial commitment. We need training. We need to hire competent people and things of that nature. And I was very much surprised the first time I looked at ML 3997 and saw some of the guidance that they hold you to there. And one of the things that they did specifically mention was does the organization budget inappropriate amount for training and maintenance of tools and acquisition of tools to be able to support these controls? So don’t be surprised if your CMMC auditor asks about your budget.

John Laffey (23:11):

Yeah, no, absolutely. And again, they can relate back to that leadership too. It’s another way to demonstrate commitment from the top is they’re actually funding these projects.

John Verry (23:20):

Yep, operation is the next clause within the management system. Talk about that.

John Laffey (23:26):

Yeah, so this is where typically the rubber hits the road. And this is where you’re going to have those various processes defined that actually drives you to do what you do, whether it’s delivered services or produce manufactured goods. And this clause is where you’re going to go through the process of making sure those are being done in a repeatable manner to reduce any issues with quality or information security depending on what your standard you’re looking at. In CMMC, this is obviously going to be where we’re looking to verify that those practices that you’ve said you’ve implemented in a given way are actually being carried out that way. So this is where a lot of the time the assessments are going to be taken up is verifying that you’re doing what you say you do. That’s kind of auditing one-on-one say what you do and do what you say. So…

John Verry (24:11):

A question for you. So because you’re a 9001 and a 27001 will occur. In 27001, we have a tendency to, I think, audit the management system and sample the controls because the logic is if the management system is operating the way it should, the controls and everything downstream flow naturally from. Let’s all sample them to make sure. I know it’s working here. I’ll sample to make sure I’m not missing something. CMMC is going to be a bit different. CMMC is going to be much more onerous. They need to demonstrate a habitual and persistent execution of each control. So we’re going to be looking for two forms of objective evidence for each. It CMMC more like, excuse me, is 9001 more like CMMC, where we’re sampling at a higher rate like that of the actual quality practices or is it more like ISO where you’re auditing the management system and just lightly sampling the actual execution of the controls?

John Laffey (25:07):

I think 9001 specifically, you’re going to be spending a lot of time sampling what they’re actually doing on the production floor or in their service delivery processes because yes, it’s very important that the management system clauses are in place and that those are verified, but at the end of the day, the biggest effect on quality is going to be what those folks are doing great in terms of operations. Open up those parts or writing the code or consulting or staffing or whatever the case may be. That’s where we want to spend the majority of our time as a 9001 auditor really getting a good look and understanding of if all the folks involved with that process are following it, if they understand it and if they’re getting the expected outcomes.

John Verry (25:47):

So that means and I think the folks that are ISO 9001 are probably going to be a little bit better prepared for their audit because I think-

John Laffey (25:53):

Yeah, absolutely. I think you’ll feel a lot more familiar to them. And so have a good expectation and I’d say probably be more prepared.

John Verry (26:05):

… Yeah. Yeah, I think so as well. Performance evaluation is the next clause. Tell me about performance evaluation.

John Laffey (26:11):

Yeah, I love performance evaluation because as long as the client’s doing it, it makes our job as an auditor real easy. We just come in and say, yeah, okay. You did a great internal audit and you are driving improvement. But yeah, as a 9000 and 27001 auditor, this is a critical clause. Just basically is what should be driving the system in lieu of a third-party certification body. You should be as much as you can internally auditing your own system just like a third-party certification body would. Sampling those people in operation, looking at the management system clauses in terms of CMMC or 27,001, looking at controls and practices, sampling making sure, I don’t know, permissions are assigned as they should be and encryption some place where it should be, whatever the case may be. It’s the kind of the day-to-day, month to month, year to year maintenance of ensuring that things are staying on the rails and that nothing’s slipping.

John Verry (27:05):

Yeah, I think it’s interesting that CMMC doesn’t specifically require an internal audit-

John Laffey (27:11):

Yeah-

John Verry (27:13):

… and ISO 9001 do.

John Laffey (27:15):

… Yeah, it is. Personally, I think it might be a value add, but maybe they’re comfortable with just having the third party assessors take care of that. But I think it’s a good idea for any organization to have some type of internal auditor checking or regular kind of maintenance where you’re looking at these various things because everybody knows you get busy, pandemics happen, crazy things happen. And the stuff that you’re doing with management systems or complying with various frameworks might not always be at the top of mind. So it’s a great idea to have something in place at some regular basis to just at least do a once over and make sure things haven’t gone off the rails.

John Verry (27:57):

Yeah, I think most organizations that we’re talking to kind of want to do it anyway because I think the fear of not passing their CMMC audit and then costing them the ability to bid on contracts is not a risk that they’re willing to take. And I think the other thought side is that if you did a good enough job with security metrics I think and if you did a good enough job with operationalizing the information security management system in such a way that the objective evidence that’s needed is easily validatable by you yourself independent of an outside internal audit, I think you’ll probably be okay.

John Laffey (28:37):

Yeah, absolutely. And yep, with more mature systems or just well done systems, like you mentioned, hopefully, the day-to-day work that folks do result in that objective evidence being available to review because it’s just the way they go about their processes. It’s not something special they need to do to show an auditor, it’s just, yeah, here’s what I worked on yesterday. Take a look.

John Verry (28:58):

Yeah, so I mean, you have two things. You have, do I have the evidence and then does the evidence fit the control. And what I mean by that because that sounds a little big, I may have the evidence that I’m monitoring, getting security logs for a particular system that’s got CUI, but I might not be getting the right logs, I might be getting, let’s say the security and application logs, but not security and application logs at that host system, but I’m not getting the application mark from the system itself. Or even if I’m getting from the application itself that we’re accessing. And even if I’m getting that, I might not be getting the right log events from that system to be able to achieve the objective of that particular control.

John Laffey (29:42):

Sure. Yeah, the devil’s going to be in the details definitely. But at least we have somewhere we can start to look and understand if there is a gap where that is. Yeah, absolutely. You’re going to be in a much better position as opposed to, can we see this? No, I don’t have it. I’m not sure how to get it to you. That’s-

John Verry (30:02):

Yeah, that’s going to be a short conversation.

John Laffey (30:04):

… Yeah. Yeah, we’ll be moving on to other items of business.

John Verry (30:08):

Exactly. All right, last clause, improvement. So talk about improvement.

John Laffey (30:12):

Yeah, again, improvement as a management system auditor very important. And this is ideally where all this information that’s being gathered, all these objectives we’re defining, all the metrics that support them, at some regular interval, the important folks, top management, program management, the key folks in the organization are getting together, meeting and looking at all this information and saying, where are we? How are we doing? Are we getting the expected outcome? Are we driving improvement? What can we do to improve our system in our organization? There should be a lot of decisions made or follow-up items that come out of these meetings and this should really be a huge mechanism for change and driving improvement within the organization.

John Verry (30:56):

What are some of the other systems? So risk assessment process might be a way to do that. Security metrics. Talk a little bit about some of the-

John Laffey (31:06):

Yeah, absolutely. So-

John Verry (31:06):

… some of the way that you would do kind of be able to measure that, if you will because at the end of the day, you’d ideally like to show someone measurably, numerically, if you will-

John Laffey (31:15):

… Sure, and there’s a number of different ways to do it. It could be number of security incidents that occurred in a given interval, depending on what tools you have in place, it could be a report showing how many potential attacks or breaches were blocked or I think a great one is if you have some good security awareness training and you can show metrics of, hey, 40% of people clicked a phishing link in Q1 and that’s down to 8% or 12% in Q3 or Q… Something that’s clearly showing, hey, what we’re doing is working, the investments we’re making are paying off and we’re reducing our risks in these various areas due to the actions we’re taking.

John Verry (31:54):

Yep. Yeah, percentage coverage on your SIM solution meantime to close vulnerabilities, right?

John Laffey (32:01):

Yeah.

John Verry (32:01):

You should have window of exposure. Those are all kind of cool things that not only are they valuable in terms of passing your audit, but they’re valuable in terms of reducing your organizations risk.

John Laffey (32:11):

Yeah, and you know what, John, I think that’s great because a lot of clients that I audit, no, but some, it can be difficult to have these kinds of more quantifiable metrics in place for information security. A lot of times the objectives are kind of nebulous and super high level and it’s hard to actually create these measurables that are going to be tangible and that are still driving improvement in terms of information security. So I think those recommendations or those examples are excellent.

John Verry (32:40):

So that’s really interesting. So you said something earlier and you just said something else that you and I probably have a very similar perspective on is that it’s relatively easy, when I say relatively, to get ISO 27001 certified. It’s much harder to actually stay certified and actually live to the true spirit of what we’re trying to accomplish because… And I would say people struggle with operationalizing ISO. So the way that you just said, context change isn’t reflected in risk assessment, security objectives aren’t being constantly updated. Talk a little bit about some of the challenges that you see and not only did we see that, but I’ve… We’re ISO certified. We’re in our fourth year. I’m embarrassed to tell you the cobbler’s children were running around a little bit shoeless for awhile and that took us two or three years to really start to dial in our management system.

John Laffey (33:35):

Yeah, no, I think what you’re saying is absolutely accurate with a lot of my clients. Initially, there’s a big push. It’s a huge undertaking and they do a great job with it. But unfortunately, it kind of just start to sit on the shelf a little bit because like you said, it hasn’t been operationalized. It hasn’t been injected into people who don’t directly work with information security in terms of they’re not either an information security management or IT, maybe they are a programmer or in marketing or in sales. Now you and I both know that they definitely have an impact and kind of have an impact on information security. But the trick of it is to inlay those information security related. I don’t know. I can’t come up with a good word for it. But in a way where it’s just still part of them doing what they need to do is their day-to-day business. Not something that they’re overburdened with. It becomes embedded in the culture of the company I think is important and can be challenging.

John Verry (34:35):

Yeah, no, I see it completely. And to be honest, we were guilty of it ourselves. You spend a year getting ready and you get it all stood up and then you’re excited and everything’s great. And all of a sudden six months go by and you’re like, I think we were supposed to be doing something-

John Laffey (34:48):

Seem like we did a lot more last year.

John Verry (34:51):

… Yeah, and the audit comes up and you’re like… And now I’m embarrassed in front of the external auditors [crosstalk 00:34:59]. I’m an ISO certified lead auditor. I’m sitting there getting beat up in our audit. Then you’re like, well, you know what? It is what it is. So I do think that… No, so here’s where it gets really interesting and where I think this is going to come back full circle. Would a quality mantra 9001 expert be someone who is excellent at running a CMMC program?

John Laffey (35:20):

I think they would definitely have a lot of unnecessary skills to be a part of the team leading the CMMC implementation. I think from the background they would have from going through 9001 to 27001 understanding of the management system requirements that we’ve discussed here are going to give them a leg up on say someone who is super technical, but not concerned with processes, policies or management systems.

John Verry (35:45):

Exactly, I think-

John Laffey (35:45):

I think they’re definitely a key component.

John Verry (35:48):

… Yeah, I think that the best ISO 27001 management systems I’ve ever seen are run by 9001 gurus.

John Laffey (35:55):

Yeah, and then you just layer in the technical folks when and where you need them. I mean, you definitely do need that technical expertise, but… And they totally, I’ve found in my time auditing, some of the brightest technical people almost have forced into documented policies and plans and procedures. It’s not the way their mind works necessarily. They’re not interested in writing about how they’re going to do something. They just want to do it and show you the next cool thing they can do and check. So I think you need a great mix of the two. But having the management system background I think is going to be key in kind of keeping this whole thing herded in and pushing it to the finish line.

John Verry (36:34):

Yeah, I could not agree with you more. I think guys that get excited by bright, shiny objects, they’re not interested in dotting I’s and crossing T’s and checking off tasks on task lists and making sure that oh, that user account management review ran. I got the email back from someone that said that they did it. I’m going to take that artifact and put it in the right place because the auditor is going to need that. I’m going to look to make sure that the actual, the user account list that they ran was for the right system for the right… Yeah, they had no interest in doing that at all. I mean-

John Laffey (37:06):

All right.

John Verry (37:06):

… So I couldn’t agree with you more. Your best bet. I mean, even if it’s not a 9001 expert, someone who’s more project management oriented process oriented are the best people in the world to run programs of this nature. So do not, if you’re listening to this and you’re worried about being successful in CMMC, don’t let your brightest and best technical guy do this because more likely than not he’s not the right guy for the project.

John Laffey (37:28):

I completely agree.

John Verry (37:30):

Cool. All right, so we beat it up pretty good. Any last thoughts, anything else we should cover before we start to wrap here?

John Laffey (37:38):

Nothing comes to mind actually, John.

John Verry (37:40):

Cool. Cool, I don’t know if you’re prepared. I did send ahead a long time ago the question I was going to ask. Let’s see if you were prepared for it.

John Laffey (37:48):

Oh my…

John Verry (37:48):

He’s looking nervous. He’s-

John Laffey (37:53):

I actually was looking for the outline shortly before I jumped on this podcast.

John Verry (37:54):

Oh, John, this isn’t good. Yeah-

John Laffey (37:56):

Let me tell you briefly. I’m not prepared.

John Verry (37:58):

… you were doing well up to this point, represent yourself well. I think people were leaving with a positive image of you. And now you’re going to embarrass yourself in the 11th hour here.

John Laffey (38:05):

It’s okay. That’s far for the course for me.

John Verry (38:09):

My wife would tell you the same thing about me. I’ll ask you the question. If you don’t have an answer, it’s okay. I’m going to give you a pass. So the question was what fictional character or a real person do you think would make an amazing or horrible CISO or CMMC leader, ISO 9001 lead in the DIB and why?

John Laffey (38:25):

Oh, God.

John Verry (38:27):

I’ll give you a hint. Some people have use football coaches. Some people have used people like The Rock. Some people have used Iowa.

John Laffey (38:34):

I want to say someone who’s scared of their own shadow, but I can’t think of it. But they would be horrible because they can’t… My opinion on all this stuff is it can feel so overwhelming, but really it is attainable by organizations large and small. It’s not some behemoths that it’s not an objective you can’t get to. I always say there’s a lot of insecurity in information security. And I don’t mean the technical controls. I mean, that people feel insecure about what they’re doing and that they’re not secure enough because it does change so quickly. But that’s just the nature of it. You just have to be involved with it. You have to be dedicated to it. And then just continually pursuing whatever the case may be if it’s CMMC or ISO 27001. But don’t be overwhelmed by it and don’t feel like it’s not for you or it’s not something you can get to because I believe anyone absolutely can as long as they’re dedicated to it.

John Verry (39:22):

I think that’s an excellent answer. And I agree with you that this is big. I mean, there’s a lot there, but it’s eating an elephant and it’s a bite at a time, right?

John Laffey (39:30):

Mm-hmm (affirmative).

John Verry (39:32):

Now any little piece of it and I do think if you have that 9001 quality manager, project manager grind kind of person that is just, okay, this is a project plan and it’s got a lot of pieces in it and a lot of steps, but we know the logical way to do this. We know we got to go through scoping and then once we understand scoping, we can understand risk. And once we understand risks, then we can look at our gaps. And then it’s just a matter of just sitting there and running for our depths. Yeah-

John Laffey (40:01):

Absolutely.

John Verry (40:01):

… I think that’s really good guidance. It’s a lot, it’s a lot. It’s going to take time, it’s going to cost money, but it’s definitely not overwhelming, right?

John Laffey (40:10):

Yeah, absolutely.

John Verry (40:12):

Cool. Last question. You chat every day on a lot of the same issues we do and some issues we don’t. Any other topics that you think would be good for our podcast?

John Laffey (40:21):

Maybe. So again, in the provisional assessor training, I’m interested to see what comes out. But they did talk about some reciprocation maybe with other existing standards.

John Verry (40:29):

I-

John Laffey (40:31):

I don’t have any more information than anyone else.

John Verry (40:34):

… said that. I know and you can’t get information.

John Laffey (40:37):

No.

John Verry (40:37):

Just so you know, reciprocity is on my list of things I want to talk about. I’ve reached out to folks at CMMC-AB, at DCMA, no one is willing to go on record yet about that. And I don’t understand how for the life of me, some of the reciprocity they’re talking about can possibly work because I mean, they did… FedRAMP reciprocity is something we talked about and that makes sense to me because FedRAMP is certainly a superset, if you will, of CMMC. 325 practices versus 130. And I know some of them are just a little bit more specific. But that make sense to me. But the ISO 27001 is fascinating to me-

John Laffey (41:17):

Fascinating.

John Verry (41:18):

… because I mean, I don’t understand how it could work because the problem with ISO 27001, and it’s not a problem, problem with ISO 27001 in terms of reciprocity. But what makes ISO 27001 I think a great standard that can be applied to a widget manufacturer or to somebody who’s saving that life and limb may be at risk is the idea that there isn’t just three prescribed risk levels like there’s on this guidance and that with infinite risks, we have the ability to tailor our controls to explicitly match our risk. How can, if I’ve set my risk tolerance on authentication down to not requiring multifactor authentication, well, then how could that possibly be, have any reciprocity with CMMC in the requirement, I’m going to say for multifactor authentication?

John Laffey (42:05):

Right. Yeah, the fact that the controls in CMMC are a bit more, I’m sorry, the practices are a bit more prescriptive I think is where there would be.

John Verry (42:14):

I think you’re being kinder.

John Laffey (42:17):

Well, it’s being diplomatic. As an assessor, I look forward to it because with 27001, you can spend so much time trying to get on the same page of like, okay, I understand you can set your own acceptable level of risk, but you telling me that you just have public facing computers that anybody can use without authentication doesn’t jive with your high level objective of saying, you want to have secure, sustain… But I agree. I think that and maybe that’s why nothing’s been said. I just brought it up to see. I was hoping maybe you love it more than me, but-

John Verry (42:47):

I wish I had met-

John Laffey (42:48):

I’d love to talk about it.

John Verry (42:49):

… Yeah, I would too. That would be so much fun to really have that conversation. And I think because they don’t know the answers that they don’t yet want to go on record, which I can’t blame them.

John Laffey (42:59):

Yeah, no.

John Verry (42:59):

There’s nothing worse than coming on record and saying, well, yeah, we haven’t figured that out yet. Yeah, we haven’t figured that out. So basically you haven’t figured it out yet, why are we talking about reciprocity?

John Laffey (43:06):

Yeah.

John Verry (43:06):

Well, because we think it’s a good idea. So I like the idea that they’re talking about it, but I think the devil’s in the details about how it’s going to actually translate. The other thing too of course is the scope has to be identical.

John Laffey (43:18):

Right.

John Verry (43:19):

Might-

John Laffey (43:19):

Yeah.

John Verry (43:20):

… which gets really interesting. And not only that… And now you’re really getting into where… And I actually liked this idea. Anyway, I’m curious as to your thought. I’m increasingly liking the idea of a system security plan and think it’s a better ISMS scope statement than a regular ISMS scope statement is. And-

John Laffey (43:38):

It’s using an SSP as opposed to the-

John Verry (43:42):

… Yeah, using the ISO scope statement.

John Laffey (43:43):

Yeah, I think it would absolutely… I think because it is a bit more prescriptive, it’s going to be a little bit higher level of assurance that they’re going to capture the information that you really need to. It doesn’t give as much wiggle room for someone to maybe accidentally leave things out that they didn’t know they needed. It gives them a bit more guidance, which I think it’d be very helpful, especially for someone going through it the first.

John Verry (44:06):

Yeah, so it’s going to be fun. Well, I have a last question for you just out of curiosity. Where are we at with ISO 20000? There was a stretch there where I thought it was going to be the next significant standard. And then it kind of just, at least in our field of views, it kind of faded away. Do you see a lot of ISO 20000 out there still? And is it in particular protocol, particular use cases?

John Laffey (44:29):

So interestingly, we saw the same thing. I thought it was going to be the next big booming standard. And then it kind of petered out for maybe going on two years. But John, to be honest, in the last six months, we’ve quoted or transferred double digit companies that either have just 20000 or 2027 or 20279. So I don’t know if it’s in contract vehicle for the DOD, that’s something I did hear or companies felt that they needed all three of those, but I definitely did see in the last six to eight months a nice uptake in 20000 businesses.

John Verry (45:03):

By any chance, IT service provider organizations had service providers that style or not sure?

John Laffey (45:09):

No, it’s been mainly IT or I’m sorry, just contract, federal contractors who realistically are really doing staffing. I mean, they’re providing services, but when you look at what they do, they’re kind of-

John Verry (45:20):

Yeah, but that… And that’s weird because 20000 doesn’t make a lot of sense there.

John Laffey (45:25):

Well, obviously with the latest revision, it’s not IT service management anymore. It’s just service management. But yeah, I don’t know. It’s an interesting standard to me because there’s so much in there. But again, I think maybe the way you feel, I feel it really lends itself to hosted service providers or IT service providers.

John Verry (45:41):

Yeah. Yeah, that makes… That’s where I would see it because to me, it’s an ITIL, you know what I mean-

John Laffey (45:45):

Yeah, and this is where I came from.

John Verry (45:47):

… everyone. Yeah, so I mean, I would’ve thought that you would have seen them more in those types of use cases where someone’s delivering a set of IT service on somebody else’s behalf and the quality of those services is critical to validate.

John Laffey (45:59):

Yeah, it’s interesting. And frustrating for me and that I would really love to have a client who does hosted service providing or IT service provision because it seems like a lot of them are kind of staffing companies. So a lot of the stuff that’s in there, it’s kind of a stretcher reach or… I’m with you on that. I think it had more closely aligns with the company who delivers IT services. But-

John Verry (46:24):

Cool. Well, this has been, at least for me, a lot of fun. Thank you.

John Laffey (46:28):

Awesome. I had a great time too.

John Verry (46:30):

If somebody wants to get in touch with you, what would be the easiest way for them to do that?

John Laffey (46:35):

They can reach out to me via email, [email protected]. They can call our headquarters at 1800-800-7910 or they can click on www.pjr.com. Then they goes over all the different standards we’re involved with, different ways to contact us, webinars we’ve done in the past, upcoming webinars, all sorts of different free training. Check it out. Give us a call if you’re interested, we’d love to talk and see if we can help.

John Verry (47:00):

Cool beans. Thank you, sir. I appreciate you coming on.

John Laffey (47:03):

Thank you, John. Have a good one.

Narrator (47:05):

You’ve been listening to the Virtual CISO podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time. Let’s be careful out there.