Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome to Status Secure. Today’s transmission is about the longest, quietest failure inside the defense industrial base. There’s no breach. There’s no threat actor. There’s no alarm. There’s just a slow erosion of a control library that was stood up in 2019, certified clean in 2021, and it’s now 2026, a paper ghost. The senior network engineer who built it retired. The compliance lead who maintained it left for a prime.
The new CISO came in with the vision to modernize and nobody sat down and asked, do we still actually operate the controls we’re telling the government that we operate? So that is the question your C3PAO is going to ask you. And if you don’t know the answer, the assessor will provide one for you. So CISO, when we were discussing the topic for today’s episode, this idea of a deprecated control environment was at the top of your mind. Can you expand on this for us?
The CISO (00:53)
Um, yeah, I mean, this is, you know, people are really familiar with tech debt, right? That’s where, you know, but people don’t really think about, I don’t know what to call this, maybe, you know, well, definitely control drift, right? Um, so, you know, there’s, there’s usually a control library, right? That sits somewhere.
If you have a GRC tool, it probably sits in there. But let’s take a look. For instance, NIST 800171 has 110 controls, 320 assessment objectives. Who can remember all of those, especially if you’re looking at multiple frameworks and standards? So you have your control library, but then you have the actual people who are operating those controls.
And a lot of times that’s institutional memory, right? Or what we call tribal knowledge, right? And what happens is, you know, this isn’t a, you know, a bad actor, you know, coming in. This is the decay, right? A slow decay and created by, you know, people leaving, people moving to other roles.
New people coming in, new leaders coming in. And so these things don’t create a log. There’s no log, there’s no alert, there’s no stock ticket to look at. Most of the time, you don’t find it until an audit or an assessment happens. But by then, your control hasn’t been operating for who knows how long.
or, you know, and so things are missed. So that’s the problem is the, you know, it’s still documented that you have these controls, but they’re not operating effectively or operating at all anymore. But, you know, but the government, right, when you got your government contract, it says that you have these and the expectation is that you’re going to continue to operate these controls.
Right? So, you know, so the reality is, you know, where is your control library? Who owns each control? When was each control last validated against this system that it’s actually running on today? If you can’t answer those in 60 seconds, you don’t have a, you really don’t have a handle on your controls. You have, you have a, and if you have to pull out your controls from your library, it’s, that’s a museum.
That’s what was historically there. That’s not what’s operating right now.
Actual (03:25)
Yeah, and, and I know coming from your background, your experience, we’re not talking about small companies that don’t have the team members, the resources at their disposal, or you’re talking about companies that have a CISO that have a compliance officer that have an SSP that have a poem, all these things. And so what I’m hearing is, this, this is what I’m hearing in my
⁓ basic analogy, it’s like, it’s like buying a car like a used car. And you don’t know when the oil was changed last. And you get it and you go, well, I’ll just change it in 3000 miles or 5000 miles or 10,000, whatever, you know, kind of your whatever car you have, whatever the standard is, right? Maybe we think, I bought a new car. And then the time from when it needs to change starts when I bought it, as opposed to wait a second.
Maybe I should dig deeper and go, when was the last oil change? Because maybe it was changed 10,000 miles ago and you can’t drive another three to 10,000 miles on it. You got to change it today, right? And then otherwise you’re going to do some damage to your engine. This is kind of how this feels to me. It’s, you you get this new person in your example, you get a new person that comes in and they’re going, I’m not going to actually check when my oil was changed last. I’m just going to run with what I got. I should be good for the next.
five to 10 years. Maybe that’s extreme, but it’s kind of like what I’m hearing. So can you like walk me through a little bit further into detail on I’m in an organization. I have all the people, I have all the resources, I have all the assets for this to not slip through the cracks. And if it is, of help us with that. Help us understand this. What can we do?
The CISO (04:56)
so you first have to understand where this, you know, where this drift comes from. Like the first, the first is an orphan custom control. Engineers do it all the time. They’re troubleshooting and they’ve created, ⁓ a control because I’ve identified something. This control was done by, you know, an engineer who is in, it’s in his head.
He knows why he designed it. He knows why he’s operating it and why it needs to be there. But, you know, he’s left the company now, okay, because usually really great senior people move around, right? It wasn’t documented, you know, because your GRC folks who maintain your control library didn’t know about it, right?
So now you’ve got this great control, but nobody documented it. The person who designed it and operated it has left. So now it’s not an all of sudden something happens and you’re like, you you do, you, you do a root cause and it’s like, Hey, this used, we used to do this, but we don’t do this anymore. Why don’t we do this anymore? And it turns out, cause the person who used to operate it is no longer here. That I see that quite a bit.
Right. So the next thing is your, you know, that happens is that you’ve changed your tools, right? You’ve replaced, as an example, you know, you used to use Splunk and now you use Sentinel, right? Or you replace, I mean, especially security tools, you know, there’s a lot of them. And depending on who’s the security leader, sometimes they want to bring their own tools in and now you’ve replaced them, right?
So you’ve had a tool in there. You put the rules in place, what the tool is looking for. Now you’ve migrated to a new tool. It doesn’t quite map one to one. And so you make some decisions about the new tool, because you’re moving to it. You’re not going back. So let’s say maybe there were
you know, there were 50 rules and let’s say 30 of them mapped one to one between the tools, but then 20 didn’t map quite one to one. So now you have to translate or tune the rule, right, to get it to work in the new tool. So, you know, and then, so you do that because you’re, know,
maybe there was maybe the new tool has an additional cost for things. And there’s decisions made that aren’t security based, they’re financial based, right? And so you hear that all the time in projects, hey, we have to, we have to de-scope this because we ran out of time or we ran out of money, right? And so now the same thing, it’s a new tool. So usually new people are, you know, working on the tool or they’re learning it, right? They’re new to the tool. So they’re learning it.
And so, and I’ve seen this too, where now, you know, you have this, you have this tool, but it’s not doing what it used to do. It’s not monitoring for the things that it used to monitor. And nobody realizes that until something happens. I can give, I have an example. had, you know, I know a client who,
They, they did a pen test and their pen tester was able to send a large, a large file with, ⁓ sensitive data in it and their DLP did not catch it. And that, and what happened was, you’re going to find this kind of funny, but not funny. What happened was they had changed their DLP tool and there was a period of time where a lot of companies put their, their, like their rules into.
like monitoring mode where they’re just, where you’ll get an alert, but it doesn’t stop, right? Where it doesn’t actually stop because they’re monitoring to make sure they’re tuning it, right? They’re making sure that it’s Well, in between the timeframe that they were supposed to put it into just, you know, into just ⁓ alert versus actually stopping, right? A change in people happened on the project and they didn’t, they forgot.
They forgot and never changed the configuration to actually stop, you know, information, sensitive information from going out. was still only sending alerts, but everybody thought, believed that the tool was stopping, you know, sensitive data from going out. You know, I saw, I see that happen. And that was only discovered because luckily they had a pen test in that person.
and that pen tester ran that test and identified it. The next is you document all these things in an SSP. That’s required, right, that your system security plan. And like any other document, you’re only required to review it when there’s significant change, like material change or…
you know, at least annually, but a lot of times the SSP isn’t considered a policy, right? It’s not considered a policy. It’s considered like system documentation. And so even though that should be the case, it doesn’t happen. They create the SSP one time because they were required to do it and they never look at it again. And so now your SSP is, you know, sits in a museum. And so…
So it’s not correct anymore. And so you really don’t have a complete view of your security environment. And the CMMC final rule, which begins this November, it says that the gap between paper and practice is the first thing that they will.
they will document and identify if they go and they perform an audit. If your C3PAO comes in and you’re required to do an ACC MMC audit, that’s the first thing they’re to look for. Hey, give us your SSP. And if that doesn’t match what they find, that’s number one. That’s finding number one. And then the other one is
which we see a lot, that people think that if you have a finding and then you put it in a poem to document it, to communicate it to leadership, then you’re done. But that’s not true. You have to remediate them. You can’t have a finding sit on your poem for three years. For three years, you have this vulnerability and you haven’t fixed it. That’s going to be a finding.
Actual (11:07)
Got it. Yeah. And so I, as you were going through the, those, those items, you know, I thought, Hey, if I would go back to that car analogy that I had, it’s kind of like saying, Hey, I looked, I bought this new car. I looked for the paperwork. I looked for the receipts. I looked through, I don’t know, a database, ⁓ maybe mechanics I know of, or some kind of VIN database. I checked with the dealership and I still can’t figure out the last time the oil was changed.
So even if it was changed right before I bought the car, I’m gonna bite the bullet and I’m gonna pay the money and I’m gonna change it right now anyways, because it’s the right thing to do and that’s, know, planet safe. Last thing you wanna do is drive the car with, you know, 10,000 miles between last oil change and, you know, messing up the engine. And that’s kinda how I feel what you brought up was, is you can’t forget about this stuff, but also maybe they weren’t properly documented in the past, like,
If I’m managing my car now and I might have a folder or maybe even something inside the dash, the glove box, that’s like my last, my oil changes, some of my repairs. So I know the last time if I had to, I could go back into those documents and go, okay, this was the last time it happened. Right. Last time I did this. ⁓ that way, maybe, maybe I’m going to get screwed, right? Maybe there’s a mechanic that’s like, these guys don’t know much about their cars. So we’re just going to tell them that they need.
serpentine belt replaced, we’re going to tell them that they need their tie rod replaced because they don’t know any better. And it would be good to have some documentation to come back in the conversation and say, Hey, you know what, I had that tie rod replaced like six months ago. So what’s going on here? Right? Anyways, I’m kind of going on a tangent. But that’s kind of how I feel on this topic of like, documentation, right? I’m the driver. So maybe like in this scenario, I’m like the CISO of the company. And
Maybe right now there hasn’t been a process of documenting and then properly going through these things in a timely manner. And I might have to be the person that kind of creates that process and steps in and make sure this stuff is there. maybe it’s not the thing I do later. Maybe I delegate that. And then we have kind of a corporate system to make sure this doesn’t happen. so ⁓ on that, what would you say would be like?
The CISO (13:08)
So that’s it for today.
Actual (13:12)
How could you take my analogy but translate it into kind of reality for this topic?
The CISO (13:16)
Thank
Um, you know, I mean, if you, if you’re buying a used car, right, if you’re buying a used car, you don’t just buy it. And then all of a sudden go start replacing, you know, like you mentioned, like the, the, the fan belt, the, you know, the pistons, the engine, the tires that, know, like when you first buy it, you don’t, you’re not going to be replacing things like that’s not, you know, that’s not prudent, right?
⁓ What you want to do is drive that car for a little bit, get to understand it, right? Before you start replacing things or changing things on the car. That’s the same thing. You know, if you’re an incoming leader, you know, there’s probably reasons why, you know, sometimes they come, you know, leaders come in and they see things are like, for instance, redundant activities, but they don’t have the history. I see that.
I see that too. You know, they’re like, why do we do this? And it’s like, well, the reason we do it this way is because there was an audit finding. And so we designed this to meet that, you know, to mitigate the risk that was identified during that audit. Well, you you come in and you’re new, you don’t know that. You just look at it you think, well, this is a weird control. Why does this, why do people do this? Because you’re coming in with things that you’re coming in with controls from other organizations.
And those organizations had different issues, different vulnerabilities. So before you make any changes, you need to really understand how the car is functioning. why it has like, instead of a, let’s just say you bought it, why.
Why is this model of this part being used instead of this other model? Like you have to learn those things. And so, once you understand that, then you can start making changes. But I see people coming in and it’s what they call vision first, right? So the leader has a vision and they just want everybody to follow their vision and start making changes to that vision.
versus understanding and then start redesigning controls. But that creates vulnerabilities if you don’t understand why those things are there. So yeah.
Actual (15:38)
Got it.
So yeah, and so I kind of want to do a small pivot. I want to talk about and focus on CMMC. And so let’s talk about affirmation. there’s under the CMMC final rule, the CEO or senior official signs an annual affirmation. So they’re personally attesting that the controls are operating as documented. And so in this conversation, can you expand on that and
Let us know too, like what happens if that’s not, if those don’t line up, if that’s not actually inaccurate. You know, if if the doc, the controls documented aren’t being operated.
The CISO (16:14)
⁓ yeah, so, you know, that’s true. You know, every year, the senior, you know, the senior leader has to attest, right, has to attest that they’re operating the way that they said that they were operating, right, affirming those controls. So, you know, it’s required and it’s, and you can’t.
And if something is identified, like if an audit comes and something comes up, or you had a breach, or you had an incident, and now the government auditors are coming in, they’re going to say, you attested that this control was offered. You attested that your environment was what we had certified you for. And saying that, you know,
I didn’t know my control library had decayed. I didn’t know this control wasn’t operating anymore. It’s not going, it’s not a defense. It’s not a good, you can’t use it. Nobody, no regulator, the government’s not gonna be like, oh, oh, that’s okay. We understand that happens. They’re not gonna say that to you. Now, you’re going to,
you know, now you’re going to have serious issues with the federal government. And that’s not a minor thing. So you could be fined. You could lose your ability to actually continue contracting with the government. I mean, the financial impact is major. And then there are
You know, I mean, it could be from the auditor, it could be from internal, right? Somebody internally could do the, what’s called, you know, whistleblower, right? Because they get, if somebody whistleblows and it’s true, they can get 15 to 30 % of the settlement, right? So there’s incentive there, right? And it may not even be financial. A lot of people are just very,
you know, want to do the right thing because they’re, these are contracts to our federal government, right? Meant to protect, you know, meant to protect our country, our national security. So, so if you, if you failed your affirmation or your certification, right, is, is, they’ll say it’s you’re defrauding the government now at this point. So you’re going to lose your ability to again, you know,
have business going forward. So in phase two of the CMMC final rule, which begins November 10th of this year, so that’s not far away, level two certificates will start appearing as mandatory contract requirements. So you can’t have compliance drift. You’re to be required to look at your certifications annually.
And annually, you need to know that your controls are operating.
Actual (19:03)
So we have six months until phase two. Let’s talk about marching orders as we wrap up this episode. What are three things that an executive listening, someone who can make these decisions can do starting tomorrow that they can have as like action items to ensure that they’re not falling into this, maybe this trap or into this thing that they didn’t even realize maybe was happening.
The CISO (19:03)
So, yeah.
Actual (19:26)
this compliance drift. So what can they do?
The CISO (19:30)
you know, there’s three things that they can do right away. One is walk through your control library, right? Take a look at it. Your control library should have like, you know, you always start with a policy. So every single control should be able to map to a policy, right? That governs that control. Two, you need to understand like, you know,
whether it’s a manual control or technical control, how is that control operating? And then who’s responsible for that control? And then the last time that that control was actually reviewed and validated, that it was operating effectively. You need those four things. So that’s the first thing is take a look at your control library. Make sure those four metadata are filled in and that’s
The last time that control was reviewed wasn’t older than 12 months. Second is tribal knowledge. That is going to, I mean, especially now we have AI. Make sure everything’s documented. that a, and go through, like go through, that’s what assessments are for. Like you don’t want to wait for an external auditor, right? You can do your own internal self-assessment.
Always keep checking to make sure that you are doing what you say you do. If you say, hey, every control needs to be documented, assess that. Make sure. Go do deep dives. Take a look at those SIM rules. Like ask, hey, I see here there’s all these rules. Why do we do this rule? Why do we do this rule? Why do we do this rule? Next is, you know.
I would make sure because incoming leaders, they always want to put their stamp on things. They always want to have their vision. But make it a policy that any leader coming in, and this is just good practice, not only in security, but just in general, any new leader coming in has to take 30 days to review what controls that they’re accountable for. What are the controls that they’re accountable for?
30 days, they need to understand that. Why do we do this control? Why is this control here? They need to understand that before they start making changes to their environment. And I think you’ll appreciate this. The new commander does not change the watch order until they have walked the post with the person they relieved.
Actual (21:43)
There you go. Yeah.
And in other terms, from what you were saying, ⁓ trust but verify, right? We’re gonna we’re gonna come in and kind of what you mentioned earlier, we’re gonna trust that the setup we’re inheriting was set up that way for a reason. But then we’re gonna dig deep and we’re gonna verify it, we’re gonna understand it. Why is it set up that way? Not just okay, I’m trusting because someone told me, right? So the threat we covered today, it doesn’t have a name. It’s not nation state.
It’s not a ransomware crew. It’s a slow, silent erosion of operational reality away from the documented standard that you have signed or you’re going to sign your name to. So every cleared employee who walks out the door takes a piece of your control library with them. Right? Maybe if you skip an inventory here or there, you may find out in an assessment one day that the watch hasn’t been stood up in years.
And we don’t want that. the standard, isn’t maintaining itself. The library doesn’t update itself and the watch doesn’t stand itself. We have to do these things. So mission success is about documentation, institutional memory, right? Tribal knowledge, knowing what you have to do, who owns it when it was last verified. So we’re going to trust verify. We’re going to do the work.
We’re going to make sure that we’ve crossed our t’s, right, dotted our i’s, and we’re going to execute the standard. So that’s it for this week. We’ll see you guys next week.
