Podcast Season 4 Episode 2 – WashTech CISOs Speak: Nicole Dean with Accenture Federal
Join NeoCast host, Erin Keating as she speaks with Accenture Federal CISO Nicole Dean. In this episode they talk about the build up towards the CMMC deadline in September and what prime contractors like Accenture Federal are doing to prepare themselves as well as their subcontractors.
Transcript
Erin Keating:
Welcome to Neo Cast. Join us each week as we discuss challenges in government contracting strategies and solutions for your businesses. We’ll dive into managed IT, cyber security, workforce advancement and much, much more. Sharing is caring and we’ve got top shelf advice to help you navigate today’s biggest challenges. Let’s get to it.
Erin Keating:
Hello everybody and welcome to another edition of CISO’s Speak. We are talking to some of the top chief information security officers in the country and today we are honored and pleasured to have Ms. Nicole Dean back with us. Hello Nicole. Thank you so much for joining us again today.
Nicole Dean:
Right. Thank you for having me. Glad to be here.
Erin Keating:
Absolutely. We’ve been doing a little series a that we are CISO’s Speak and we’re trying to focus on CMMC and the supply chain, especially given now that we are in a slightly different situation than we were or when you and I and Katie Arrington spoke back in, I think it was now February or maybe mid-March. And a lot of things are changing but the government’s not slowing down, DOD is not slowing down, CMMC is moving forward. So we wanted to kind of get your perspective on how that is challenging right now. What are you guys doing with the supply chain? But first and foremost, if you wouldn’t mind just reintroducing yourself, tell us a little bit about who you are and a brief history of sort of how you got to this position and how you might be related to the CMMC work and its creation as we know you do sit on the board. So if you could tell us a little bit about that and then we’ll jump into some questions.
Nicole Dean:
Sure. I’m Nicole Dean. I am currently the chief information security officer for Accenture Federal Services as well as a director on the CMMC Accreditation Body Board. My background is primarily working in the US government. I’ve worked for civilian agencies, DOD agencies, Intel agencies throughout my career in the government, finishing up my service as a SCS with the department of Homeland Security, responsible for the cybersecurity of the federal executive civilian branch government.
Nicole Dean:
After I left government service, I went to industry and I’ve held three industry positions. The first was that Raytheon serving as a fiber subject matter expert. Then off to Goodyear as their first ever global chief information security officer where I was finally recruited to come to Accenture Federal Services and be their chief information security officer. And because of that government as well as industry background in the cyber and It field, now I applied and was accepted to be a part of the CMMC accreditation body and I am responsible for the infrastructure committee within that as well as the co-chair for our ethics and compliance committee. But as the head of the infrastructure, my responsibility is building obviously the internal infrastructure for the CMMC as well as coordinating with DOD on the information types and things that are going to be shared as a result of the assessments. And longer term is building an approved product list that people can use.
Erin Keating:
Great. Awesome. So you have a couple of different perspectives that you’ll probably take in answering some of these questions and we appreciate both your perspective Accenture Federalist CISO, but also as someone who is on the accreditation body. So feel free to give us your perspective as much as you feel comfortable from either of those roles that you play in some of these questions that I’d love to chat with you now about. One of the things that we’re really looking to hear from CISOs around the country and specifically related to DOD contractors is, what are you hearing that’s trending right now for primes as it relates to CMMC?
Nicole Dean:
So nothing has changed as far as the CMMC schedule. So CMMC was really created to have a trust but verify type model, to make sure that we are having consistent application of cybersecurity controls across the defense industrial base. And using the accreditation body as an independent organization to certify the accreditors that are going to come in and look at the div company. So, the implementation timeline has not changed. Here’s looking at approximately 10 contracts that will have the initial CMMC requirement going out this fall. So companies should be getting ready for CMMC assessments, knowing that there’s going to be 10 this fall with a full rollout of the CMMC is expected to happen over a five year time period be completed by the end of 2026.
Erin Keating:
So as prime contractors, a lot of the larger firms may already be at certain levels that are probably going to be pretty easy for them to attain. But of course you have a ton of subcontractors that you’re usually working with on the large contracts. How has Accenture started to think about communicating to subcontractors? Is there a strategic approach that you’re thinking about as far as helping them to get up to certification in time for those contracts?
Nicole Dean:
So, I mean the CMMC requirement is going to be a new contract going forward. And so we’ve already been communicating with all our subs. Making sure that one, they’re aware of the CMMC standards that DOD has put out there and making sure that they’re actually planning and understanding what levels that they want to be at. So we’ve been on regular communications, talking with our subs and then prioritizing, looking at which ones are looking to achieve which level so that we understand going forward how that mix of our stuff will feed into our supply chain as we pursue work with the Department of Defense.
Erin Keating:
Gotcha. And when you said that 10 are going to be coming up in September, are you referring to 10 new contracts that will be open for bid in September that primes need to be aware of and ready for to respond?
Nicole Dean:
Yes. The DODs referring those as Pathfinder, and so they have said there’ll be approximately 10 brand new contracts that will have the initial CMMC requirements in them. Not that they’re all going to be released come the fall, but that we will start seeing release this fall. So privates and then their subs will need to be ready once those RFPs come out to actually have assessments against them to make sure that they are meeting whatever CMMC level requirements is specified in those RFPs. And again, as DOD is stating is that primes can be one level, there can be different levels for stuff depending on what they’re doing and what type of information is going to be required of those subcontractors.
Erin Keating:
Great. So out of curiosity, have they given any indications as to what the level of the certification will be required for those or will that still be remained to be seen?
Nicole Dean:
So that would be DODs position to take. So let’s say it’s remaining to be seen, not sure quite yet exactly what levels we will see in the fall. My assumption’s that definitely see levels one, two and three as that is going to be the majority of the defense industrial base as far as certification. And DOD has repeatedly stated that the levels four and five will be the minority of the defense industrial base.
Erin Keating:
Got you. So are you seeing any challenges related to technologies in getting up to certification and what, what are you thinking about as possible solutions for any of those types of challenges you might be seeing?
Nicole Dean:
I haven’t really seen technology as far as a limitation of achieving the goals set out in the CMMC model. It’s really ensuring that you have your documentation and your processes thoroughly outlined that an assessor is going to come in and see. So many companies in talking to our sub, and even looking internally, many companies have processes and procedures in place, but is the documentation going to be sufficient for what an assessor is going to want? So it’s really making sure that you have that documentation hot, extremely tight on hand ready and that you can validate and prove that your processes are meeting what’s actually written down on paper. And I think that’s the biggest challenge for companies to go through is making sure that you have the level of specificity that the model is going to require.
Erin Keating:
Interesting. So again, for large contractors that may be that there is already a lot of in-house work, in-house departments and talent and resources to make sure that the compliance is met. With the smaller subcontractors that may be in your supply chain, are you all offering or how are you thinking about assistance to them in order to be able to bring their systems within compliance and does automation play a role of that and or platforms or other technology? How are you all thinking about that for your subcontractors?
Nicole Dean:
If you look at what the model is, I mean at a level one that’s already a far requirement. So, subs should already be meeting the controls that are listed in the bar as it exists today. So there shouldn’t be anything new that companies are seeing. It’s really as companies wants to get into level two or three that there’s additional controls that they may need to meet that they’d hadn’t previously been meeting. And so, I mean we have an open Q&A forum that we’ve established with our subs that they can ask a question, we can educate them. There’s tons of tools out there. I don’t want to be a voice to say this is the best tool, but there’s a lot of different tools that have already been developed out there that can help a company do self assessment of where they are today. And contractors should be looking at some of those tools to help them do an internal assessment if they don’t have something already in-house developed.
Nicole Dean:
Many of the tools are much better to help you automate and figure out where you are rather than trying to create a huge mapping Excel spreadsheets on where you’re at. We’re also looking at ways that we can help our subs through creating enclaves within our infrastructure so that we could put some of our subs that may not be at the maturity level we’d want them to be for our contract, that we would be able to put them within our own infrastructure enclaves and they would sit within the Accenture space rather than using their own equipment so that they would be at the certification level that we are as a company writ large.
Erin Keating:
Yeah, that’s smart. So speaking about certification, we know that that means that there needs to be auditors in the system. You and I, and Katie, when we had our last conversation, we threw numbers around 300 000 contractors who are going to need to be coming up to certification. And the fact that there had not been to date, and you can correct me if I’m wrong, any auditors actually announced or in business just yet. So what are you thinking about as far as the time crunch, getting things done by September, not just having your subcontractors and yourself ready and compliant, but actually having the auditors and getting in the lineup to be approved and certified.
Nicole Dean:
There’s still no auditors announced, we as the AB are working diligently with the Department of Defense, developing the training material that’s going to go out in the process for vetting actually people that want to be an assessor or a C3PA company themselves. And are planning to launch within the next few months so that we can have people ready to assess companies come the fall. But again, you have to remember that this is a phased approach the DOD is looking at.
Nicole Dean:
You’re looking at only 10 companies in the next years timeframe and that this is going to expand from next year through to the end of 2026. So it’s going to be not everybody at once. It’s going to be a phased approach over time. Come September, not all 300 000 companies are going to need to be certified. They’re going to need to be certified over a five year timeframe. So the same thing is going to be, you’re going to see the amount of assessors increase from this year through 2026. And it’s not that everybody has to be ready all at once. So we’re working that timeline to make sure that there’ll be enough assessors, the fall timeframe for when these initial Pathfinder contracts come out. And then grow the assessor pool over time to meet the demand and to ensure that we map to meeting the 2026 deadline to have full CMMC implementation.
Erin Keating:
So I have to ask, we know that this specifically affects any contractors that are working with the DOD, but a lot of things have changed in the last few months, namely COVID has come on the scene and a lot more cybersecurity attention has been paid to the way in which we’re needing to rapidly allow different parts of industries, data and access and therefore cyber attacks and cyber security is becoming even more pronounced than it has before when it’s already been a pretty high level of alert across all industries. Have you been approached by or have you heard any noise in the system about how more departments will adapt this level of certification, not just DOD? And is there sharing in that information of how you develop the certification? And I’m specifically thinking about a lot of things over in DHS or even outside to private industries like healthcare that have come up as a result of everything that’s happening right now. Any finger on the pulse there that you’d like to share?
Nicole Dean:
So I know the goal that DOD is looking for is that the CMMC can be adopted by other entities. Katie herself I know has stated she sits at the national acquisition [inaudible 00:13:26] on is sharing what DOD is doing. And traditionally what you’ve seen is that if DOD takes the lead and get something out in one of their deep bars requirements that is contractually mandated, you actually do see that picked up and ultimately pulled into a far requirement. So, I know from my perspective, taking off my AB hat and putting my Accenture hat on, I would love to see that adopted through the federal government so that there’s a single standard that contractors have to meet. Is that where we’re at today? I don’t know. But I know that is the goal Katie’s working for and that DOD is also hoping that we can see greater adoption both in the federal government but across the international space as well.
Erin Keating:
Sure. Well we don’t do this in front of a live audience, but I have to imagine that if we had one, they’d all be applauding and saying, “Amen sister.” We need some uniformity so that we can wrap our heads around our daily work and not have to think about 17 million different requirements that we need to adhere to from all different places. So I think that’s a good hopeful to have as far as making it more uniform. So just in wrapping us up here, what’s life like for a CISO right no?, Given everything and the complexity of the universe right now, has it changed much? Are you experiencing that you’re having to focus on things that maybe you weren’t predicting for this particular quarter, especially given that you’re also tied up in this accreditation board and everything here. How’s life going?
Nicole Dean:
So I think for me, obviously the number of threats has increased, the fishing and the malicious domains that coven has created for attackers to take advantage of has just exploded out there. By that I mean we as a company, from Accenture standpoint, we’ve always been built to be able to work anywhere. So for us, the challenges of moving from in the office to work from home, were limited to none. Because we already designed our enterprise to support our people to be able to work anywhere, anytime in the way that we operate. So from that aspect, thankful that we were ready and that’s the way that we had designed our enterprise and modeled it from both from an IT but also to ensure that you get the same security protection wherever you’re working, which is good.
Nicole Dean:
But yes, the threat landscape has just exploded. So from that aspect, if you look at our SOC and CERT team, I mean the number of things that we’re dealing with have to exploded due to COVID. It’s due to working from home and due to people trying to take advantage of the situation and figure out ways to use that to attack companies.
Erin Keating:
Right. I mean it’s not lost on me that we’re talking about supply chain in the future for working on large government contracts, but everyone is talking about supply chain period in the world right now because that’s truly what’s I’m looking most vulnerable to any industry. And often, the unseen supply chain that most people don’t realize. How their burger gets to their house for instance, or something along those lines. So it’s good that you guys have the purview of what that takes from inside the work that you do, because you’re probably able to quickly make the analogous jump over to other industries that are now suffering cyber attacks throughout their supply chain. Interesting times. Well, what’s next steps for you in this whole process? What are you working on next as a big initiative within Accenture and then also within your role within the accreditation board?
Nicole Dean:
from the accreditation board, so I said, I mean we are diligently working with the Department of Defense right now to, you know, to meet their timelines and develop the training that is going to be released and developing how we’re going to certify and permit people to become an assessor in a C3PO. So I mean we are actively working with them on a weekly, daily basis on what that’s actually going to look like. And we are on target for meeting dates to get that out to the public. So I tell people if you aren’t watching the CMMCab.org website, that’s where you need to be keeping track of, because that’s where the latest information on when all these things is going to happen will be posted up.
Nicole Dean:
So, if you’re not, make sure you are. And then from an Accenture standpoint, it’s making sure that we are ready to have the CMMC assessment and feeling confident that we are. And then the normal that we’re always doing, the threat landscape is always changing. So what else can we add to our security stack to make us even better? We are always in a discovery mode there, that never goes away and it shouldn’t for any company. I mean it’s not like the threat stays consistent across time.
Erin Keating:
Absolutely. Well the saying goes offense is often the best defense. So it’s good for you all to position yourself in that way. Well Nicole, it’s been a pleasure talking to you. I really thank you on behalf of Neo Systems and myself for always making yourself available to help just educate and inform any of our listeners on all of this stuff that’s coming out. It’s a lot for people to comprehend right now and to be on top of, especially in a time where to your point, people are dealing with even more threats and so we just really appreciate your expertise and your time and your willingness to lend that to educating people around. So appreciate you being here. Thank you very much.
Nicole Dean:
Well, thank you again for having me.
Erin Keating:
Absolutely. Take care. The Neo systems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage of our competitors? Smart organizations are paying more attention to their strategic back office operations. Neo Systems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools and an advanced technical infrastructure. From software hosting and security solutions to managed accounting services, Neo System’s custom built solutions and services that are tailored to fit your organization’s needs. Check us out on the internet at Neosystemscorp.com. That’s Neo systems Corp.com
