Data Security Podcast
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses the latest views relating to system integrity assurance and how it relates to CMMC requirements.
Welcome to The Data Security Podcast is sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is President and CEO, Robert E Johnson III. Robert has been a pioneer in the development of next-gen system integrity monitoring, self-healing systems, and cyber security software. Welcome back Robert looking forward to our conversation today.
A: Hello, Hillarie, glad to be back on your show and can't wait to learn what topic we're going to discuss today.
Q: Well, Robert, I'd like to talk to you today about cybersecurity maturity model certification, also known as CMMC. So, your organization is certainly no stranger to the various regulatory requirements that businesses face, and that includes CMMC. We've seen quite a bit of first steps, or how CMMC can impact companies in various formats, such as blogs, webinars, etc. And in fact, you did a recent webinar about CMMC, and in it, you discussed system integrity assurance. Can you elaborate more on system integrity assurance?
A: Yes, yeah. You know, system integrity assurance, that really started being communicated to the general public as a result of a Gartner report regarding cloud workload protection. And it's really a concept that extends beyond simply the monitoring of the integrity of files. But it's more of the entire system, and when I say system, I mean beyond the individual machine, but the entire system. For instance, the human resource system, or an accounting system - the bigger vision of what a system, a collection of computers that achieve a particular objective does to monitor all of the components of that system for deviations and integrity.
So that would mean, say, monitoring network device configurations, or monitoring your database for changes and schemas, or monitoring your cloud-based firewall, or settings in containers, or in docker and Kubernetes. It even extends, when you think of it, of a system, as that bigger vision of a system. It even extends to, for instance, understanding when a new user is added to active directory, or unexpected privileges have been granted to a user. So, that's really what system integrity means, system integrity assurance means, in a nutshell
Q: Excellent. So, how does system integrity assurance correlate to CMMC?
A: Well, sure. CMMC is becoming increasingly important, because this is something that the entire Defense industrial base must implement at one level or another, and actually there are five levels. And they have to accomplish it by 2025 because almost every contract at that point will require one of these five levels of maturity for CMMC. So, it's significant because it can't be achieved easily. There's no self-certification. It actually requires a real audit, a real security audit. So you have to have the right things in place. It's significant because, for many suppliers, this will be their first third-party security audit. For others, just you know, understanding what's needed for CMMC. They'll need to reevaluate their strategy to ensure that they're actually prepared for the audit. And that certainly can be a daunting task and will likely be expensive.
So, just to make sure, you know, there's no confusion here, there is no single tool or product that will be enough to comply with all of the technical aspects and technical requirements of CMMC. So the real question is, okay, with limited resources and every organization has a limited set of resources, what is the optimal toolset, what is the optimal set of security tools for meeting the requirements of CMMC? So, that's why lately, I've been speaking a lot about system integrity assurance lately in different forums, just because we feel that the single concept can help many of those technical control domains of CMMC and can be accomplished with a single tool.
Q: Okay, that makes a lot of sense, so the sounds like a critical aspect but isn't system integrity assurance difficult to achieve?
A: Well, it depends on the organization. If you're attempting to implement system integrity assurance via manual methods, or if you're attempting to achieve it using old-school file integrity monitoring tools or change monitoring tools, well you're right, the answer is a big, resounding yes. It's going to be difficult. One of the things we've been doing at Cimcor is we've been working very hard to make our security and compliance software, CimTrak, the easiest and most powerful system integrity assurance tool available in the market. So yes, it helps users detect unexpected changes to servers, unexpected changes in network devices, point of sale systems, active directory, Amazon AWS, Microsoft Azure, SCADA Systems, and a ton more. But, you know, our real focus, beyond detecting when things change and give you insight into integrity, the state of integrity, has been to eliminate the noise, so that you're only being told about changes that actually matter.
In fact, the CimTrak Integrity platform leverages CIS benchmarks to even identify changes to system hardening. So, that means that we're making life simple for auditors because we can consolidate this wealth of information we've gathered into easy, straightforward reports that directly match the control categories of CMMC. So, with that type of reporting, with that real-time detection, and a simple-to-use toolset, to answer your question, with CimTrak, we think we make implementing system integrity assurance really easy, especially in the context of CMMC.
Q: Awesome. Well, that sounds really great Robert and I really learned a lot in this episode with you. Thank you so much for coming on the show and teaching us about system integrity assurance and how it relates to CMMC.
A: Of course. I love being on your show and look forward to that next time to join you again.
April 26, 2022