top of page

Three 4-Letter Words That Changed Cyber Security: GDPR, CCPA, CMMC

Excerpts from the following article will appear in the forthcoming book Assessing and Insuring

Cybersecurity Risk from CRC Press, Co-Authored with Ravi Das.

OK so technically they’re acronyms. Our industry needs more of them right? Four-letter words

can lift and build (like “love”) or bring down (like “dumb” or other expletives.) These three

acronyms however have had significant impact on cyber security and privacy. They are GDPR,


In this article we’ll do an overview of each, and I suspect there will be a little value for all.

Few companies can escape the impact of these four-letter "words".

Privacy and GDPR – What’s the Big Deal?

A wave of data privacy rights, discussions, laws, and actions have swept the world recently,

but especially since World War II. One can suggest that for GDPR, or the General Data

Protection Regulation, the Holocaust has had everything to do with its inception and passage(1).

Enacted in May of 2018, the general Data Protection Regulation is designed to protect the data

of its member states’ owners, both in terms of cyber breach protection as well as data owners’

rights to see their data, be forgotten, and/or see to the removal of that data.

Like the HIPAA legislation in the US, GDPR expands to cover EU citizen data surrounding almost

all personal elements, including not only the obvious such as name, address, birth date, phone

and credit card numbers etc., but religious affiliation, sexual orientation, political opinions, race,

gender, and more.

History refresher: Concern of privacy data is directly linked to the atrocities of the Nazis who, as

their regime rose to power, systematically abused private data to identify Jews and other

minority groups with extreme objectives – the most atrocious of course being genocide,

torture, manipulation and other terrible acts.

Here are some facts surrounding early data processing during WWII that you will find curious if

not disturbing:

In 1930s Germany, census workers went door to door filling out punch cards that

indicated residents’ nationalities, native language, religion and profession. The cards were counted by the early data processors known as Hollerith machines, manufactured

by IBM’s German subsidiary at the time, Deutsche Hollerith Maschinen GmbH

(Dehomag). This history became more widely known after the publication of the 2001

book IBM and the Holocaust: The Strategic Alliance Between Nazi Germany and

America’s Most Powerful Corporation, which argued that those Hollerith machines not

only identified Jews, but also ran the trains that transported them to concentration

camps. Some historians dispute the book’s claims that IBM supported the use of its

machines to carry out genocide and argue that the Nazis also used other methods, as

simple as pen and paper, to round up victims just as effectively; the company hasn’t

denied that its machines were used during the Holocaust, but claims “most” documents

about the operations have been “lost.” (2)

Clearly the example above indicates moral and ethical responsibility to ensure that as

technology progresses, so too do the protections and rights involving personal data.

Implications for Business and Cyber Security

Simply stated, businesses which fail to implement proper cyber protections into their data

processing and infrastructure, in addition to the user/owner data rights and policies, can find

themselves in breach of the Regulation. In fact, negligence leading to data breach, data misuse, or failure to disclose or grant the rights enumerated under GDPR can lead to some whopping fines. Specifically, Article 82, Right to compensation and liability states:

"Infringements of the following provisions shall, in accordance with paragraph 2, be

subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking,

up to 4 % of the total worldwide annual turnover of the preceding financial year,

whichever is higher"

Yeah, you’re reading that correctly – 4% of global revenue or twenty million EUR, whichever is


Think of the implications of this for companies such as Facebook, for example. Rounding out

their 2019 revenue to $70 Billion, that’s 2.8 Billion in fines. Ouch! A small company providing a

data service provider role (say a growing SaaS company) of only a million in revenue could face

a fine (the “higher of the two”) of much more than just a $40,000 fine. Although, wise judicial

arbitors should make the fine appropriate to the offense, they still have the power to levy much

more than the 4% for smaller companies.

“So why should I care?” you may be saying, “I do business in the US!” But what if you are

a technology company and you have garnered European clients over the years. Many

technology businesses have. Businesses such as the hotel industry have as well, where technology is used to store the data of its European clients.

While it may be true that European regulators may not have power in the US, they could block

your company from doing business in the EU, and that could sting.

One other scenario and implication is that your business may not service EU citizens directly,

but your systems and services may service those companies who do. Examples include SaaS platforms or POS systems for hotels and other industries. Faults and flaws, failure to patch or keep up with vulnerabilities in your software could cause your company liability. Liability determined by your clients should they suffer privacy data loss or inability to otherwise comply with the Regulation. That now resonates with many businesses in the US.

More About GDPR

Running a cybersecurity company, I tend to think about GDPR from a cyber protection and risk

management perspective. However, the implications for legal issues such as consent,

declaration, and rights-granting policies and technologies also come into play.

Here are the seven key principles GDPR sets out to achieve:

  •  Lawfulness, fairness and transparency.

  •  Purpose limitation.

  •  Data minimization.

  •  Accuracy.

  •  Storage limitation.

  •  Integrity and confidentiality (security)

  •  Accountability.

To summarize, GDPR states that personal data must be "processed lawfully, fairly and in a

transparent manner in relation to the data subject". This means that all data controllers must

only process data for the purpose they acquired it and with consideration of the data subject's

rights. Finally, processed data must be stored, processed, and transmitted securely and with

information security policy which will mitigate the risk of data breach or data theft.

DPO, DCs and DPs

With GDPR, organizations now have the requirement to categorize themselves as Data Controllers, and/or Data Processors. They also have the requirement to designate a Data Privacy Officer or DPO. A Data Controller is a person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body). For the official GDPR definition of “data controller”, please see Article 4.7 of the GDPR.

The Data Controller determines the purposes for which and the means by which personal data

is processed. The Data Processor processes personal data only on behalf of the controller.

The data processor is usually a third party external to the company (credit card processors, for


Here is the official definition by the ICO or International Commissioner’s office, the governing

body in the UK for GDPR.

  • ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  • ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (3)

The relevance here is that controllers basically own and are liable for the data they’re

processing and for what purposes.

“Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.

Although a processor may make its own day-to-day operational decisions, Article 29 says it

should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.

If a processor acts without the controller’s instructions in such a way that it determines the

purpose and means of processing, including to comply with a statutory obligation, it will be a

controller in respect of that processing and will have the same liability as a controller.

A processor can be a company or other legal entity (such as an incorporated partnership,

incorporated association or public authority), or an individual, for example a consultant. (4)”

Governing these policies and processes in the organization is the DPO or The Data Protection

Officer. The DPO “ensures, in an independent manner, that an organization applies the laws

protecting individuals' personal data. The designation, position and tasks of a DPO within an

organization are described in Articles 37, 38 and 39 of the European Union General Data

Protection Regulation. (5) ”

In short, it is the DPO’s responsibility to ensure compliance with the GDPR. Since most

organizations won’t have a DPO, this resource can be outsourced.

Conclusions on GDPR

At the time of this writing, 2.5 years out from its origin, what has been the impact of GDPR? It is perhaps too early to tell, but just observe the changes:

  •  Most websites that track you are now telling you and allowing you to accept or not.

  •  GDPR has created a one-stop shop system for the regulation and enforcement of privacy in the EU.

  •  Other regulations, particularly in the United States (and we’ll discuss CCPA next) have incorporated many of GDPR’s principles and the result has influenced legislation.

  •  Corporate officers now have data privacy and protection as a discussion where a decade ago less so.

California Consumer Privacy Act (CCPA)

Introduced in January 3, 2018 and signed into law by then Governor Jerry Brown, the California

Consumer Privacy Act, or CCPA, is what I consider the little brother of GDPR. It is a California-

specific statute intended to “enhance privacy rights and consumer protection for residents. (6) ”

Some of the differences, besides the obvious being the protection of only California residents:

  •  The GDPR language protects data subjects, defined as “an identified or identifiable natural person,” whereas the CCPA gives certain rights to consumers, defined as “a natural person who is a California resident.” ... The GDPR protects data subjects, not citizens or residents, unlike the CCPA.

  •  GDPR affects any organization inside or outside of the EU that offers goods or services to or monitors the behavior of EU subjects; where as CCPA is more limited:

  • o Only companies or entities that do business with California residents and have a gross revenue of greater than $25 million, and handles personal data of more than 50,000 consumers for commercial purposes, or derives 50% or more of its annual revenues from selling consumers’ personal data.

Other key facts about CCPA include(7):

  •  No DPO or privacy officer designation is required as with GDPR.

  • Fines: Civil penalties, which are violations lacking intent, are $2,500 per violation. Intentional violations are $7,500 each after notice and a 30-day opportunity to remedy the violations.

  • Security: Does not define or impose data security requirements, but it does give consumers the right to take legal action and establishes a right of action if a security breach occurs. Note – this is the big kicker with CCPA. In a litigious society, CA residents have another way to be even more litigious!

Consent, rights of opting out of the sale of personal data, and legal right to take action are the

foundation of CCPA. Many other minor differences between GDPR and CCPA exist, but for

purposes of this brief chapter I’ve highlighted what I think are the main ones.

The message here to corporate officers everywhere is simple: protect your data, provide

appropriate consent and methods of appropriate data removal or “unsubscription,” and secure

privacy data at rest, in transmission, and wherever processed to protect against consequential

data breach and leakage!

Cybersecurity Maturity Model Certification (CMMC)

In this segment, I want to thank the amazing Webcheck Security practitioner, Lori Crooks, for her

vast DoD, NIST, and other experience in sharing much of the following knowledge regarding

CMMC! Built upon best security practices, the CMMC was organized by The Office of the

Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) in recognition that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward

Hence, CMMC was designed to protect all Department of Defense (DoD) contractors and all

related subcontractors. CMMC was designed leveraging existing standards such as NIST 800-

171, Aerospace Industries Association (AIA), National Aerospace Standard (NAS) 9933 “Critical

Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency

Response Team (CERT) Resilience Management Model (RMM) v1.2.

It primarily applies to Controlled Unclassified Information or information that the Government

creates or possesses, or that an entity creates or possess for or on behalf of the Government

that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. This could include defense information, financial

information, privacy information, law enforcement, proprietary business information, etc.

Version 1.0 was released in January 2020 and later that year the requirements were solidified

and training/certification infrastructure established. 2021 saw the implementation of the


CMMC will have a profound impact in the next two years and beyond, on many manufacturers,

information and data processors or service providers, SaaS companies and technical providers.

This is because the supply chain servicing DoD and other government entities is vast and broad.

Let’s say, for example, that I have a contract with the Air Force to manufacture a particular

widget that goes into the F-35. As part of that widget or assembly, I get certain pre-fabbed

parts or other widgets, data or other services from Company B. Because Company B is part of

that supply chain, and because I have been asked by the Air Force to certify as CMMC

compliant, I must also ask Company B to certify.

CMMC certification for vendors/suppliers is likely to cost between $15k on the low end to $50k

in preparation and $20k to $50k just to certify. Factors affecting this include:

  •  The scope and breadth of services and locations including how much CUI you handle –store, process, transmit etc.

  •  IT infrastructure involved in your “widgets” or services

  •  Timeframes, i.e. can you phase this in over a year or do you need a time/resource investment now with a 3-6 month deadline?

  •  Consultant and assessor costs

  •  The required Maturity Level of the contract(s) you are maintaining or pursuing

Conceivably, a larger company with many contracts, some of which will require Level 5

Maturity, could spend upwards of $100k going through the certification process. Presumably

however said company would already have many of the NIST 800-171 or other controls largely

in place.

Who Cares?

This leads to a simple answer to a simple question: To whom does CMMC apply? The answer is

it will be specified in your RFI, RFP or contract with the government or the contractors to whom

you supply labor, parts or services. So, if you want to continue supplying, or compete to supply, certain federal government agencies and/or their subcontractors (i.e. your clients) then this affects you.


CMMC is broken into 5 maturity tiers. Based on the already-established NIST 800-171, it has

110 controls and those controls are split across CMMC Levels 1-3. That means all 110 controls

are encompassed within the Level 3 Practices, and at the Level 3 Maturity requirement, a

certification by a 3PAO signifying Third Party Assessment Organization, will be required. 173

practices in total are mapped across the five maturity levels.

This simple overview of the CMMC Maturity Level lists the Level, the Processes, and the


  1. Level 1: Performed. Basic Cyber Hygiene

  2. Level 2: Documented. Intermediate Cyber Hygiene

  3. Level 3: Managed. Good Cyber Hygiene

  4. Level 4: Reviewed. Proactive

  5. Level 5: Optimizing. Advanced/Progressive


3PAOs are governed by the CMMC Accreditation Board (AB), and certify all assessors. Bottom

line here with CMMC is that if you are providing widgets or services to any entity that supplies

the federal government (or if you supply the federal government directly), chances are this

framework will touch you in at least a Level 1 or 2 maturity level. If you are required in your

contracts to have a Level 3 maturity or above, you will have to hire a 3PAO to help you certify or

at least a risk and compliance consulting organization such as Webcheck Security to help you

prepare or bring your practices and policies into alignment. (8)

About the Author: Greg Johnson is the Co-Author of Testing and Securing Web Applications and also CEO of Webcheck Security, a World-Class Penetration Testing and Cyber Services Company.

1 See article BY OLIVIA B. WAXMAN, MAY 24, 2018 7:12 PM EDT,






7 Comparing CCPA and GDPR: 8 Key Differences Between the Privacy Laws

8 Further source information regarding CMMC can be found here:

87 views0 comments


bottom of page