R3

Data Governance, Security, and Compliance: CMMC, NIST Risk Management Framework

At the recent Easby FaaS Conference, Beth Leonard, COO at R3, was a member of a panel moderated by Kimberly Kuchman ( VP of Transformation and Product, Rose Financial Solutions) and alongside co-panelists: Jen Morris (Partner, Dunlap Bennett & Ludwig PLLC), Jim Wesloh (Founder and President, PROCAS); and Medhat Galal (Senior Vice President of Engineering, Appian), to highlight the critical importance of robust data governance practices in a panel session titled “Data Governance, Security, and Compliance: CMMC, NIST Risk Management Framework.” This session focused on the evolving landscape of cybersecurity standards, with new and stringent requirements from the Department of Defense (DoD) taking center stage. 

You can watch the full session here.  

Some key topics, discussions, and highlights from the panel discussion are below: 

Understanding Data Governance 

Data Governance is a structured framework of rules dictating how data is managed within an organization. This involves meticulous processes such as labeling, classifying, and marking data to ensure compliance with regulatory requirements and organizational policies. Effective data governance encompasses understanding the entire lifecycle of data—from creation to secure destruction. Key questions include:  

  • How is the data labeled and classified?  
  • How long should it be retained?  
  • Who has access to the data?  
  • Who controls it?  
  • What are the secure destruction protocols?  

Implementing these best practices ensures that data is managed efficiently and protected throughout its lifecycle, thereby mitigating risks and maintaining compliance. 

CMMC and NIST: A Symbiotic Relationship 

The Cybersecurity Maturity Model Certification (CMMC) program, although relatively new, is becoming unavoidable for companies engaged with the defense industrial base (DIB). The NIST Cybersecurity Framework, established in 2015 with 110 controls under NIST SP 800-171, has long provided a robust foundation for cybersecurity practices. However, due to frustrations over inaccurate self-certifications, the Government introduced the CMMC program to formally evaluate and certify that stringent and reliable compliance measures have been effectively implemented. This relationship underscores the necessity of adhering to established controls while ramping up efforts to meet new requirements. 

The Three Levels of CMMC Assessments 

CMMC assessments are tiered to offer varying degrees of scrutiny based on the sensitivity of data and the organization’s role in the defense supply chain: 

  • Level 1: Involves a self-assessment, allowing organizations to internally evaluate their compliance with basic cybersecurity practices. 
  • Level 2: Requires an external assessment by a Certified Third-Party Assessment Organization (C3PAO), providing a more rigorous evaluation. 
  • Level 3: The highest level, involving a comprehensive government review, is designed for organizations handling highly-sensitive information. 

Government’s Heightened Focus on Cybersecurity 

The Government’s renewed focus on cybersecurity stems from the pressing need to protect national security amidst escalating cyber threats. Utilizing security frameworks (like NIST and CMMC), the Government aims to establish a robust foundation for data governance and cybersecurity. Provisional requirements for CMMC indicate that audits could be required soon, with contractual obligations likely by mid-next year, highlighting the urgency for organizations to align their practices with these new standards promptly. 

Addressing the Audit Bottleneck 

With about 50 authorized C3PAOs and approximately 80,000 government contractors requiring assessments, a bottleneck is inevitable. Proactive companies have made early deposits for mock audits, securing a spot at the forefront of the audit queue; this ensures preparedness and swift compliance when audits commence. 

The Role of SOC 2 Plus Reports 

The SOC 2 Plus report serves as a preparatory tool for CMMC compliance, helping organizations align their security controls with CMMC requirements. By addressing necessary controls and protocols, it ensures organizations are well-prepared for rigorous assessments. 

Artificial Intelligence and its Impact on Finance and Accounting 

AI’s transformative impact on finance and accounting departments makes them particularly vulnerable to cyber threats. Implementing robust data security policies and protocols is imperative. Without proper safeguards, incorrect payments due to fraud can have devastating ripple effects across the business, therefore, stringent cybersecurity measures in these departments are essential to prevent financial losses and ensure operational continuity. 

Insights on the Shared Responsibility Model 

In the shared responsibility model for security and compliance, technology vendors provide security and privacy through their services or products, including managed services, cloud capabilities, and firewalls. Meanwhile, businesses manage access controls and develop specific security requirements. This collaborative approach ensures both parties uphold their security obligations, enhancing overall cybersecurity resilience. 

Developing Protocols, Access Controls, and Labeling Data 

Developing strong protocols and access controls is crucial in Data Governance. Best practices include setting clear data classification protocols at the root level, ensuring that AI tools are used responsibly, risks are mitigated, training is provided, and unauthorized access is prevented. Proper labeling and classification of data help streamline management and enhance security. 

Developing a Culture Fully Prepared to Embrace Compliance and Risk Management 

Creating a culture of cyber resilience involves comprehensive employee training on risk management. Organizations should focus on mitigating risks and addressing gaps proactively. Employees equipped with the knowledge and skills to identify and manage risks significantly enhance an organization’s cybersecurity defenses. 

 

Preparing for AI 

Proper preparation for AI integration includes defining access protocols and ensuring thorough data classification. Organizations must be vigilant to prevent AI from granting unauthorized access to sensitive information. Implementing these measures helps maximize AI’s benefits while safeguarding data. 

 

Balancing Innovation and Compliance in Cybersecurity 

As organizations navigate the rapidly evolving landscape of cybersecurity, it becomes increasingly vital to balance innovation with regulatory compliance. With technologies like AI transforming operations and presenting new opportunities, the need for effective security practices remains paramount. Adopting a framework such as NIST to work towards CMMC compliance can provide a roadmap for organizations to protect sensitive information while embracing technological advancements. Emphasizing continuous training and the development of a proactive cyber resilience culture ensures that businesses can not only meet compliance requirements but also thrive in an ever-changing threat environment. Cultivating a robust cybersecurity posture is not just about avoiding risks; it’s about ensuring sustainable growth and success in today’s digital landscape. 

Data Governance, Security, and Compliance: CMMC, NIST Risk Management Framework