Excerpts from the following article will appear in the forthcoming book Assessing and Insuring
Cybersecurity Risk from CRC Press, Co-Authored with Ravi Das.
OK so technically they’re acronyms. Our industry needs more of them right? Four-letter words
can lift and build (like “love”) or bring down (like “dumb” or other expletives.) These three
acronyms however have had significant impact on cyber security and privacy. They are GDPR,
CCPA and CMMC.
In this article we’ll do an overview of each, and I suspect there will be a little value for all.
Few companies can escape the impact of these four-letter "words".
Privacy and GDPR – What’s the Big Deal?
A wave of data privacy rights, discussions, laws, and actions have swept the world recently,
but especially since World War II. One can suggest that for GDPR, or the General Data
Protection Regulation, the Holocaust has had everything to do with its inception and passage(1).
Enacted in May of 2018, the general Data Protection Regulation is designed to protect the data
of its member states’ owners, both in terms of cyber breach protection as well as data owners’
rights to see their data, be forgotten, and/or see to the removal of that data.
Like the HIPAA legislation in the US, GDPR expands to cover EU citizen data surrounding almost
all personal elements, including not only the obvious such as name, address, birth date, phone
and credit card numbers etc., but religious affiliation, sexual orientation, political opinions, race,
gender, and more.
History refresher: Concern of privacy data is directly linked to the atrocities of the Nazis who, as
their regime rose to power, systematically abused private data to identify Jews and other
minority groups with extreme objectives – the most atrocious of course being genocide,
torture, manipulation and other terrible acts.
Here are some facts surrounding early data processing during WWII that you will find curious if
not disturbing:
In 1930s Germany, census workers went door to door filling out punch cards that
indicated residents’ nationalities, native language, religion and profession. The cards were counted by the early data processors known as Hollerith machines, manufactured
by IBM’s German subsidiary at the time, Deutsche Hollerith Maschinen GmbH
(Dehomag). This history became more widely known after the publication of the 2001
book IBM and the Holocaust: The Strategic Alliance Between Nazi Germany and
America’s Most Powerful Corporation, which argued that those Hollerith machines not
only identified Jews, but also ran the trains that transported them to concentration
camps. Some historians dispute the book’s claims that IBM supported the use of its
machines to carry out genocide and argue that the Nazis also used other methods, as
simple as pen and paper, to round up victims just as effectively; the company hasn’t
denied that its machines were used during the Holocaust, but claims “most” documents
about the operations have been “lost.” (2)
Clearly the example above indicates moral and ethical responsibility to ensure that as
technology progresses, so too do the protections and rights involving personal data.
Implications for Business and Cyber Security
Simply stated, businesses which fail to implement proper cyber protections into their data
processing and infrastructure, in addition to the user/owner data rights and policies, can find
themselves in breach of the Regulation. In fact, negligence leading to data breach, data misuse, or failure to disclose or grant the rights enumerated under GDPR can lead to some whopping fines. Specifically, Article 82, Right to compensation and liability states:
"Infringements of the following provisions shall, in accordance with paragraph 2, be
subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking,
up to 4 % of the total worldwide annual turnover of the preceding financial year,
whichever is higher"
Yeah, you’re reading that correctly – 4% of global revenue or twenty million EUR, whichever is
higher.
Think of the implications of this for companies such as Facebook, for example. Rounding out
their 2019 revenue to $70 Billion, that’s 2.8 Billion in fines. Ouch! A small company providing a
data service provider role (say a growing SaaS company) of only a million in revenue could face
a fine (the “higher of the two”) of much more than just a $40,000 fine. Although, wise judicial
arbitors should make the fine appropriate to the offense, they still have the power to levy much
more than the 4% for smaller companies.
“So why should I care?” you may be saying, “I do business in the US!” But what if you are
a technology company and you have garnered European clients over the years. Many
technology businesses have. Businesses such as the hotel industry have as well, where technology is used to store the data of its European clients.
While it may be true that European regulators may not have power in the US, they could block
your company from doing business in the EU, and that could sting.
One other scenario and implication is that your business may not service EU citizens directly,
but your systems and services may service those companies who do. Examples include SaaS platforms or POS systems for hotels and other industries. Faults and flaws, failure to patch or keep up with vulnerabilities in your software could cause your company liability. Liability determined by your clients should they suffer privacy data loss or inability to otherwise comply with the Regulation. That now resonates with many businesses in the US.
More About GDPR
Running a cybersecurity company, I tend to think about GDPR from a cyber protection and risk
management perspective. However, the implications for legal issues such as consent,
declaration, and rights-granting policies and technologies also come into play.
Here are the seven key principles GDPR sets out to achieve:
Lawfulness, fairness and transparency.
Purpose limitation.
Data minimization.
Accuracy.
Storage limitation.
Integrity and confidentiality (security)
Accountability.
To summarize, GDPR states that personal data must be "processed lawfully, fairly and in a
transparent manner in relation to the data subject". This means that all data controllers must
only process data for the purpose they acquired it and with consideration of the data subject's
rights. Finally, processed data must be stored, processed, and transmitted securely and with
information security policy which will mitigate the risk of data breach or data theft.
DPO, DCs and DPs
With GDPR, organizations now have the requirement to categorize themselves as Data Controllers, and/or Data Processors. They also have the requirement to designate a Data Privacy Officer or DPO. A Data Controller is a person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body). For the official GDPR definition of “data controller”, please see Article 4.7 of the GDPR.
The Data Controller determines the purposes for which and the means by which personal data
is processed. The Data Processor processes personal data only on behalf of the controller.
The data processor is usually a third party external to the company (credit card processors, for
example)
Here is the official definition by the ICO or International Commissioner’s office, the governing
body in the UK for GDPR.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (3)
The relevance here is that controllers basically own and are liable for the data they’re
processing and for what purposes.
“Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.
Although a processor may make its own day-to-day operational decisions, Article 29 says it
should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.
If a processor acts without the controller’s instructions in such a way that it determines the
purpose and means of processing, including to comply with a statutory obligation, it will be a
controller in respect of that processing and will have the same liability as a controller.
A processor can be a company or other legal entity (such as an incorporated partnership,
incorporated association or public authority), or an individual, for example a consultant. (4)”
Governing these policies and processes in the organization is the DPO or The Data Protection
Officer. The DPO “ensures, in an independent manner, that an organization applies the laws
protecting individuals' personal data. The designation, position and tasks of a DPO within an
organization are described in Articles 37, 38 and 39 of the European Union General Data
Protection Regulation. (5) ”
In short, it is the DPO’s responsibility to ensure compliance with the GDPR. Since most
organizations won’t have a DPO, this resource can be outsourced.
Conclusions on GDPR
At the time of this writing, 2.5 years out from its origin, what has been the impact of GDPR? It is perhaps too early to tell, but just observe the changes:
Most websites that track you are now telling you and allowing you to accept or not.
GDPR has created a one-stop shop system for the regulation and enforcement of privacy in the EU.
Other regulations, particularly in the United States (and we’ll discuss CCPA next) have incorporated many of GDPR’s principles and the result has influenced legislation.
Corporate officers now have data privacy and protection as a discussion where a decade ago less so.
California Consumer Privacy Act (CCPA)
Introduced in January 3, 2018 and signed into law by then Governor Jerry Brown, the California
Consumer Privacy Act, or CCPA, is what I consider the little brother of GDPR. It is a California-
specific statute intended to “enhance privacy rights and consumer protection for residents. (6) ”
Some of the differences, besides the obvious being the protection of only California residents:
The GDPR language protects data subjects, defined as “an identified or identifiable natural person,” whereas the CCPA gives certain rights to consumers, defined as “a natural person who is a California resident.” ... The GDPR protects data subjects, not citizens or residents, unlike the CCPA.
GDPR affects any organization inside or outside of the EU that offers goods or services to or monitors the behavior of EU subjects; where as CCPA is more limited:
o Only companies or entities that do business with California residents and have a gross revenue of greater than $25 million, and handles personal data of more than 50,000 consumers for commercial purposes, or derives 50% or more of its annual revenues from selling consumers’ personal data.
Other key facts about CCPA include(7):
No DPO or privacy officer designation is required as with GDPR.
Fines: Civil penalties, which are violations lacking intent, are $2,500 per violation. Intentional violations are $7,500 each after notice and a 30-day opportunity to remedy the violations.
Security: Does not define or impose data security requirements, but it does give consumers the right to take legal action and establishes a right of action if a security breach occurs. Note – this is the big kicker with CCPA. In a litigious society, CA residents have another way to be even more litigious!
Consent, rights of opting out of the sale of personal data, and legal right to take action are the
foundation of CCPA. Many other minor differences between GDPR and CCPA exist, but for
purposes of this brief chapter I’ve highlighted what I think are the main ones.
The message here to corporate officers everywhere is simple: protect your data, provide
appropriate consent and methods of appropriate data removal or “unsubscription,” and secure
privacy data at rest, in transmission, and wherever processed to protect against consequential
data breach and leakage!
Cybersecurity Maturity Model Certification (CMMC)
In this segment, I want to thank the amazing Webcheck Security practitioner, Lori Crooks, for her
vast DoD, NIST, and other experience in sharing much of the following knowledge regarding
CMMC! Built upon best security practices, the CMMC was organized by The Office of the
Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) in recognition that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward.
Hence, CMMC was designed to protect all Department of Defense (DoD) contractors and all
related subcontractors. CMMC was designed leveraging existing standards such as NIST 800-
171, Aerospace Industries Association (AIA), National Aerospace Standard (NAS) 9933 “Critical
Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency
Response Team (CERT) Resilience Management Model (RMM) v1.2.
It primarily applies to Controlled Unclassified Information or information that the Government
creates or possesses, or that an entity creates or possess for or on behalf of the Government
that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. This could include defense information, financial
information, privacy information, law enforcement, proprietary business information, etc.
Version 1.0 was released in January 2020 and later that year the requirements were solidified
and training/certification infrastructure established. 2021 saw the implementation of the
CMMC.
CMMC will have a profound impact in the next two years and beyond, on many manufacturers,
information and data processors or service providers, SaaS companies and technical providers.
This is because the supply chain servicing DoD and other government entities is vast and broad.
Let’s say, for example, that I have a contract with the Air Force to manufacture a particular
widget that goes into the F-35. As part of that widget or assembly, I get certain pre-fabbed
parts or other widgets, data or other services from Company B. Because Company B is part of
that supply chain, and because I have been asked by the Air Force to certify as CMMC
compliant, I must also ask Company B to certify.
CMMC certification for vendors/suppliers is likely to cost between $15k on the low end to $50k
in preparation and $20k to $50k just to certify. Factors affecting this include:
The scope and breadth of services and locations including how much CUI you handle –store, process, transmit etc.
IT infrastructure involved in your “widgets” or services
Timeframes, i.e. can you phase this in over a year or do you need a time/resource investment now with a 3-6 month deadline?
Consultant and assessor costs
The required Maturity Level of the contract(s) you are maintaining or pursuing
Conceivably, a larger company with many contracts, some of which will require Level 5
Maturity, could spend upwards of $100k going through the certification process. Presumably
however said company would already have many of the NIST 800-171 or other controls largely
in place.
Who Cares?
This leads to a simple answer to a simple question: To whom does CMMC apply? The answer is
it will be specified in your RFI, RFP or contract with the government or the contractors to whom
you supply labor, parts or services. So, if you want to continue supplying, or compete to supply, certain federal government agencies and/or their subcontractors (i.e. your clients) then this affects you.
Levels
CMMC is broken into 5 maturity tiers. Based on the already-established NIST 800-171, it has
110 controls and those controls are split across CMMC Levels 1-3. That means all 110 controls
are encompassed within the Level 3 Practices, and at the Level 3 Maturity requirement, a
certification by a 3PAO signifying Third Party Assessment Organization, will be required. 173
practices in total are mapped across the five maturity levels.
This simple overview of the CMMC Maturity Level lists the Level, the Processes, and the
Practices:
Level 1: Performed. Basic Cyber Hygiene
Level 2: Documented. Intermediate Cyber Hygiene
Level 3: Managed. Good Cyber Hygiene
Level 4: Reviewed. Proactive
Level 5: Optimizing. Advanced/Progressive
Summary
3PAOs are governed by the CMMC Accreditation Board (AB), and certify all assessors. Bottom
line here with CMMC is that if you are providing widgets or services to any entity that supplies
the federal government (or if you supply the federal government directly), chances are this
framework will touch you in at least a Level 1 or 2 maturity level. If you are required in your
contracts to have a Level 3 maturity or above, you will have to hire a 3PAO to help you certify or
at least a risk and compliance consulting organization such as Webcheck Security to help you
prepare or bring your practices and policies into alignment. (8)
About the Author: Greg Johnson is the Co-Author of Testing and Securing Web Applications and also CEO of Webcheck Security, a World-Class Penetration Testing and Cyber Services Company.
1 See article BY OLIVIA B. WAXMAN, MAY 24, 2018 7:12 PM EDT, https://time.com/5290043/nazi-history-eu-data-privacy-gdpr/
2 IBID
3 ICO https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/controllers-and-processors/what-are-controllers-and-processors/
4 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/what-are-controllers-and-processors/#4
5 https://en.wikipedia.org/wiki/Data_Protection_Officer
6 For more information see https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
7 Comparing CCPA and GDPR: 8 Key Differences Between the Privacy Laws https://www.osano.com/articles/gdpr-vs-ccpa
8 Further source information regarding CMMC can be found here: https://www.acq.osd.mil/cmmc/index.html