GRC Academy

I have an incredible announcement to share! 👀Before that though, let me share some of my history with you.Back in 2016, I started a side-business called TEKFused LLC focused on web design/hosting.Fast forward to 2022, I launched GRC Academy, and since then I’ve released 3 CMMC courses, released 50+ podcast episodes, and partnered with some amazing companies.Earlier this year, life threw me a curveball when I was laid off from my full-time role.Thanks to the incredible support of my AMAZING LinkedIn network, I had new opportunities on the table immediately!Within a week, I accepted a role with Summit 7 as Director of Cybersecurity - a company I’ve admired since 2019.And here’s the part I NEVER expected:👉 Summit 7 has officially acquired GRC Academy!! 🎉🥳🎉And guess what?!? I've already completely updated and rerecorded my CMMC training!! And it's even better than it was before!!GRC Academy students with active enrollments to my CMMC training will receive access to the new training on Summit 7's platform. It will take some time to get this all together, so keep your eyes open for that announcement.I'll be contributing to Summit 7's YouTube channel in the future as well, so subscribe if you haven't already: https://youtube.com/@summit7I will still be reselling PECB training at my TEKFused LLC website! If you need to get certified in ISO 27001/42001 (and more), be sure to keep me on your list: https://tekfused.com/courses/?utm_source=podcast&utm_medium=s2-11&utm_campaign=s7-acquisition-announcementOn a personal note, I’m very thankful that this transition allows me to spend way more time with my family - while continuing my mission of educating the Defense Industrial Base!I learned so much during this chapter of my life. I want to thank all of you for your support - it truly made this possible.#cmmc #nist #cybersecurity

CMMC certification could be the key to surviving DOGE cuts! 👀In this episode, I’m joined by Derek Kernus of Aethon Security to discuss the business case for CMMC!This episode was really refreshing to me. Yes, our discussions about deep CMMC topics are important, but learning how to convince your company leadership to make the CMMC investment is even more critical.Here are some takeaways:How CMMC early adopters can shape contracts and limit competitionHow to frame the CMMC investment to internal leadershipThe impending CMMC bottleneck of doom 👻What mock assessments are and how they can help you prepareWhy choosing the wrong MSP could actually kill your chances at certificationAfter being impacted by DOGE myself, I've put a lot of thought into how small businesses will be impacted by DOGE + CMMC.Most of my concern is for SMBs that haven't started preparing for CMMC. That costs a lot of money, and if SMBs lose revenue due to DOGE cuts before they prepare for CMMC, I'm not sure they'll be able to survive in the defense contracting space.But there is great opportunity for CMMC early adopters to be part a small cadre of CMMC certified companies and operate in a much smaller competitive space.It turns out CMMC actually could be your business's savior. Who knew!?!I really enjoyed this conversation! What were your biggest takeaways? Let me know in the comments.Follow Derek on LinkedIn: https://www.linkedin.com/in/derekkernus/Aethon Security Website: https://www.aethonsecurity.com/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-10&utm_campaign=courses#cmmc

"Compliance is the security referee - frameworks are the playbooks."In this episode, I’m joined by Tim Golden, Founder of Compliance Scorecard, to unpack the misunderstood, and mission-critical world of cyber GRC.Tim shares what he’s learned from decades of hands-on work - from implementing NIST frameworks before “GRC” was even a term, to helping teams understand why writing policies is just as important as patching vulnerabilities.Here are some highlights from the episode:What GRC actually means - and why governance is the most misunderstood partWhy people who say "compliance isn't security" are missing the pointHow explaining the "why" of cybersecurity controls aids in acceptanceWhy data retention policies can protect you from major legal headachesAnd yes… a story about how Tim accidentally ransomwared himself 🙃This is a must-listen for anyone navigating compliance, cybersecurity, or just trying to understand how it all fits together!I really enjoyed this conversation! What were your biggest takeaways? Let me know in the comments.Follow Tim on LinkedIn: https://www.linkedin.com/in/timothygolden/Compliance Scorecard Website: https://compliancescorecard.com/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e9&utm_campaign=courses#cybersecurity

Cybersecurity frameworks can learn a lot from HITRUST.In this episode, Ryan Patrick of HITRUST explains how HITRUST approaches the assurance problem, from centralizing the certification process to frequent updates to the control sets based on threat data.I barely knew anything about HITRUST going in, but it’s clear they’re tackling the cybersecurity assurance problem in a radically different way.Here’s what stood out to me:HITRUST reviews its security controls quarterly based on threat intel and control effectivenessThere are three distinct assessment levels (like CMMC)HITRUST itself issues a certification after the 3rd party assessment and running the assessment results through two stages of QAEvery 3rd assessment gets reviewed. Every. Single. One.The centralized approach of HITRUST allows them to provide feedback to its assessment community after each and every assessment which results in assessments that are more consistent and higher quality.HITRUST certified organizations are contractually required to report incidents which then allows them to evaluate the effectiveness of their controls.I personally think that commercial cybersecurity frameworks should take a look at HITRUST.What were your biggest takeaways? Let me know in the comments.Follow Ryan on LinkedIn: https://www.linkedin.com/in/ryan-patrick-3699117a/HITRUST Website: https://hitrustalliance.net/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e8&utm_campaign=courses#hitrust

"Outread the others" - that's how Ryan Bonner mastered CUI.If you're confused about Controlled Unclassified Information (CUI) - you're not alone. Many defense contractors (not to mention DoD themselves) misunderstand what is CUI, where it comes from, and how to handle it.In this episode, Ryan Bonner, CEO of DEFCERT, gives a masterclass in understanding CUI from the actual laws and regulations - not just hearsay.👉 Here are the highlights:What CUI really is - and what it’s notHow to use the NARA and DoD CUI registriesThe proprietary paradoxHow to decontrol CUIThe difference between FCI and CUIDoD memo on determining CMMC levels This is essential listening for anyone working with the defense industrial base - primes, subs, and especially DoD program managers who want to avoid missteps.What were your biggest takeaways? Let me know in the comments.Follow Ryan on LinkedIn: https://www.linkedin.com/in/rybonner/DEFCERT Website: https://defcert.com/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e7&utm_campaign=courses#cui #cmmc

HR guy leads his company to CMMC level 2 certification! 👀In this episode I’m joined by Eric Fields of Reynolds Construction to learn how he led his business to CMMC level 2 certification!I call him "Eric the Great" - you'll see why in a moment.Eric's background was in HR and business operations. He had no background in IT or cybersecurity.They did it in-house - with just two people and smart choices.👉 Here’s how they did it:CMMC training from GRC AcademyResources and advisory services from Kieri SolutionsCCP & CCA trainingMeticulous documentationThis episode is very special to me - Eric's intro to CMMC was through GRC Academy more than 2 years ago, and he was actually the second person to leave a 5-star review on my CMMC training for defense contractors: https://grcacademy.io/course-reviews/cmmc-overview-training-eric-f-20230127/This episode is a great reminder that small businesses can achieve CMMC certification without breaking the bank.That said, time is no longer a luxury. With CMMC phasing in this summer, small businesses need to move fast - and partnering with a CMMC-focused MSP can help accelerate the process.What were your biggest takeaways? Feel free to celebrate with "Eric the Great" in the comments!Follow Eric on LinkedIn: https://www.linkedin.com/in/ericfields6/Reynolds Construction Website: https://www.reynoldscon.com/-----------Thanks to our sponsor Vanta!Get back time to focus on strengthening security and scaling your business.Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e6&utm_campaign=courses#cmmc #nist #cybersecurity

CMMC rolls out in a few months and there are STILL companies who are JUST getting started!In this episode I’m joined by Daniel Akridge of Summit 7 to talk about the real challenges facing the Defense Industrial Base - and the FASTEST path to CMMC certification.To CUI Enclave, or not to CUI enclave - that is the question!👉 Here are some of the highlights:What the big primes are saying about their subs and CMMCThe biggest CMMC hurdles for defense contractorsWhy MOST DoD contracts could require CMMC Level 2 certification - not just self-attestationDeep dive into CUI enclaves and their pros and consI personally like CUI enclaves because it keeps government cybersecurity regulations and incident reporting requirements out of my corporate IT environment...However if you are a small business that primarily supports the DoD, CUI enclaves begin to make less sense - even as I try to reason otherwise!What were your biggest takeaways? Do you LUV CUI enclaves?? Let me know in the comments!Follow Daniel on LinkedIn: https://www.linkedin.com/in/danielakridge/Summit 7 Website: https://www.summit7.us/-----------Thanks to our sponsor Vanta!Need continuous visibility into the state of your security controls?Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e5&utm_campaign=courses#cmmc #nist #cybersecurity

“We built a second company from scratch…”Is that what it takes for MSPs to get CMMC'd!?! 👀In this episode I’m joined by Bobby Guerra and Kaleigh Floyd from Axiom, an IT Managed Service Provider (MSP). They explain exactly what it took to achieve CMMC level 2 certification - after 4 years of effort.Most MSPs aren’t ready for CMMC. Many believe it's just another checkbox, but it’s a complete operational shift that requires rethinking your tools, processes, and client relationships!Here are some of the highlights:How much money they allocated for CMMC (it’s more than you think)How to build scalable and repeatable processes to support complianceThe tools, contracts, and agreements you MUST have in placeHow to prepare for the assessment (and avoid sleepless nights!)Bobby Guerra is the CEO of Axiom and has led the MSP for over 22 years. Under his leadership, Axiom became one of the first MSPs in the U.S. to achieve CMMC Level 2 Certification. Bobby now helps guide clients through their own CMMC journeys, focusing on sustainable security and compliance.Kaleigh Floyd is the Marketing Director at Axiom and Co-Host of the Climbing Mount CMMC podcast. Raised in the MSP world, she now educates others through Microsoft 365 training and cybersecurity content. Her passion lies in simplifying tech and making a lasting impact in the industry.This is a true CMMC for MSPs masterclass! So much great advice packed into this episode!What were your biggest takeaways? Let me know in the comments!Follow Bobby on LinkedIn: https://www.linkedin.com/in/bobbyguerra/Follow Kaleigh on LinkedIn: https://www.linkedin.com/in/kaleigh-floyd-079a52190/Axiom's Website: https://www.axiom.tech/Climbing Mount CMMC Podcast: https://www.axiom.tech/climbing-mount-cmmc-the-podcast/-----------Thanks to our sponsor Vanta!Need continuous visibility into the state of your security controls?Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e4&utm_campaign=courses#cmmc #nist #cybersecurity

Preparing for a CMMC assessment, but don't know what to expect?Get ready to learn from CMMC Lead Assessor Fernando Machado as he explains EXACTLY what happens in each phase of the CMMC assessment process!Fernando is the Managing Principal of Cybersec Investments which is an authorized C3PAO. Fernando has been involved with CMMC starting in 2020 as a member of the Cyber AB's Standards Management Industry Working Group.Cybersec Investments has already issued 12 CMMC certifications since CMMC assessments began in January of 2025 and previously participated in nearly 20 Joint Surveillance Voluntary Assessments (JSVAs).👉 Here are some highlights:What to expect during a CMMC assessmentThe 4-phases of the CMMC Assessment Process (v2.0)No self-assessment? No independent assessmentCommon issues that could cause assessment failuresHow to make the assessment easier for your assessor (and you)It is overwhelming preparing for a CMMC assessment, but don't go into it without knowing what to expect!What were your biggest takeaways? Let me know in the comments!Follow Fernando on LinkedIn: https://www.linkedin.com/in/fernando-machado-cissp-cism-cca-ccp-5b5581124/Cybersec Investments Website: https://cybersecinvestments.com/-----------Thanks to our sponsor Vanta!Need continuous visibility into the state of your security controls?Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e3&utm_campaign=courses#cmmc #nist #cybersecurity

🔥 "I Could Have Saved $300K on CMMC!" 🔥Miguel is the founder of Villa-Tech, a small but powerful tech company that is breaking into the defense contracting space.Miguel shares a raw and honest look at the costly missteps, lessons learned, and strategies that could save small businesses hundreds of thousands of dollars preparing for CMMC certification!👉 Here are some highlights:How he could have saved $300kBad advice is expensive - how to hire the right consultantsRebuilding their SSP 4 timesThe importance of CMMC education before diving inVilla-Tech has built a CUI enclave environment that other defense contractors can leverage! They also have an amazing set of capabilities and just achieved CMMC level 2 certification, so be sure to check out their capabilities statement below.Small businesses CAN succeed in CMMC, but the path is filled with pitfalls that can drain your budget.Don’t make the same mistakes - learn from someone who’s been through it!What were your biggest takeaways? Let me know in the comments!Follow Miguel on LinkedIn: https://www.linkedin.com/in/miguel-villarreal-0231286/Villa-Tech Website: https://www.villa-tech.comVilla-Tech Capabilities: https://villa-tech.com/government/capabilities-statement/Structura.io Website: https://structura.io/-----------Thanks to our sponsor Vanta!Need continuous visibility into the state of your security controls?Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e2&utm_campaign=courses#cmmc #nist #cybersecurity

CMMC and DFARS compliance is hard - especially in the cloud.Got AWS? They've given you tools that make compliance much easier!In this episode, I sit down with Travis Goldbach from Amazon Web Services (AWS) to break down the solutions AWS has created to simplify CMMC and DFARS compliance.👉 Here are some highlights:AWS compliance automation - reducing manual effort and riskShared Responsibility Model - what AWS secures vs. what you manageAWS GovCloud vs. Commercial Cloud - choosing the right environmentLanding Zone Accelerator - your shortcut to a secure, compliant AWS setupHow AWS is pursuing its own CMMC certification & what that means for youI didn't know that AWS was so mature when it came to CMMC and DFARS compliance!It was really awesome to learn how they are making compliance easier!What were your biggest takeaways? Let me know in the comments!Follow Travis on LinkedIn: https://www.linkedin.com/in/travis-goldbach-b446a223/AWS CMMC website: https://aws.amazon.com/compliance/cmmc/-----------Thanks to our sponsor Vanta!Need continuous visibility into the state of your security controls?Discover the new way to GRC here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s2-e1&utm_campaign=courses#cmmc #nist #cybersecurity #aws

It’s been a long and wild ride on this #cmmc ship! ⛵In this episode, I speak with Stacy Bostjanick who is the Director of the CMMC program at DoD CIO!Here are some highlights from the episode:Expectations for the initial phase in of CMMCWho determines CMMC levels for contracts?How will CMMC waivers work?Criteria for CMMC level 2 self-assessments and CMMC level 3Early use of NIST 800-171 r3And so much more!First mentioned in 2019, CMMC 1.0 was released in 2020 under the Trump administration.CMMC 1.0 was reviewed during the Biden administration, they released CMMC 2.0 in late 2021, and then… There was a great silence.If you threw a small rock, you’d hit ten people who thought CMMC was going away.All this time though, the DoD was quietly marching on.They released the proposed CMMC program rule in December 2023 and released the final CMMC program rule in October 2024 - which is now EFFECTIVE.After all of that, CMMC will FINALLY begin to phase into DoD solicitations and contracts by this summer.CMMC has been a LONG time coming, and it was an honor to hear the back story and why certain decisions were made!What were your biggest takeaways? Let me know in the comments!Follow Stacy on LinkedIn: https://www.linkedin.com/in/stacy-bostjanick-a3b67173/DoD CIO CMMC website: https://dodcio.defense.gov/CMMC/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e43&utm_campaign=courses#cmmc #nist #cybersecurity

Your MSP could be a CMMC disaster. 💥💣💥I wish I was joking.In this episode I speak with Joy Beland about the critical role IT Managed Service Providers (MSPs) play in the CMMC space and why so many of them will cause their clients to fail their CMMC assessments.Here are some of the highlights:The NEW critical CMMC requirement for MSPsWhy so many MSPs will cause their clients to fail CMMC assessmentsWhy MSPs SHOULD still get CMMC certifiedQuestions to ask your MSP to gauge their CMMC readinessJoy is the Vice President of Cybersecurity Compliance at Summit 7 and brings over 20 years of experience as a former MSP owner. Summit 7 is a specialized MSP exclusively supporting defense contractors.If you use an MSP, don't just assume that everything is OK and your MSP has it all covered.It's highly likely that they do NOT and you'll FAIL your CMMC assessment because of them.There are some great CMMC-focused MSPs out there, but the majority of MSPs have NO BUSINESS supporting defense contractors.Choose wisely!What stood out most to you? Whatever your thoughts are, feel free to let me know in the comments!Follow Joy on LinkedIn: https://www.linkedin.com/in/joy-belinda-beland/Summit 7 website: https://www.summit7.us/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e42&utm_campaign=courses

Should you NEVER pay after a ransomware attack?In this episode I speak with Frank Riccardi about cybersecurity in healthcare and the event that triggered much more cyber accountability for the C-suite.Here are some of the highlights:Why healthcare workers are prone to social engineering attacksReasons you SHOULD and should NOT pay after ransomware attacksManaging shadow IT after acquisitions/mergersWhy every member of the C-suite must understand cyberThe importance of a culture of reportingFrank is a former C-level executive with 25 years of experience developing compliance and privacy programs for large healthcare systems comprised of hospitals, physician practice groups, urgent care centers, and other healthcare organizations.I really enjoyed Frank's description of shadow IT! I always thought of an employee who is using an unauthorized application, but I never thought of it from the standpoint of an acquisition/merger.What stood out most to you? Whatever your thoughts are, feel free to let me know in the comments!Follow Frank on LinkedIn: https://www.linkedin.com/in/frank-riccardi-261831b1/Frank's Book (Mobilizing the C-Suite: Waging War Against Cyberattacks): https://www.amazon.com/Mobilizing-C-Suite-Waging-Against-Cyberattacks/dp/1637424248/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e41&utm_campaign=courses#cybersecurity #healthcare #hospital #informationtechnology

Should you fire your MSP?!? 🔥🔥🔥In this episode, I speak with cybersecurity attorney Sarah Anderson about how to evaluate IT Managed Service Providers and how businesses can protect themselves when relying on them.Here are some of the highlights:How you should evaluate MSPsWhat to do after your MSP is hackedManaging the cyber incidentCyber insurance pitfallsShould you fire your hacked MSP?Sarah is the owner of SWA Law LLC and also serves in U.S. Army Reserves as a Lieutenant Colonel.She has been involved in more than 100 cyber incident responses throughout her career and also represents public and private entities in regulatory compliance, cybersecurity practices, and technology contract negotiations.If you are relying on an MSP to manage your IT and security, you won’t want to miss this!As Sarah said, not all MSPs are created equally. Many MSPs have such poor security practices they WILL get you hacked.Encourage your MSP to join MSPCyberX! It's a nonprofit focused on elevating the security of MSPs: https://www.mspcyberx.com/Follow Sarah on LinkedIn: https://www.linkedin.com/in/sarah-anderson-lacyberlawblog123/Legally Cyber website: https://www.legallycyber.com/Sarah's cybersecurity course for lawyers: https://courses.sprouteducation.com/item/cybersecurity-basics-lawyers-653403-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e40&utm_campaign=courses#msp #informationtechnology #cybersecurity #cmmc

SOC 2 isn't the only SOC out there! 🧦In this episode Cera Adams breaks down these SOC reports and what to expect in a SOC audit!Here are a few highlights from this episode:Why CPAs are involvedWhat SOC 1 / SOC 2 / SOC 3 reports mean to providers and consumersDifference between SOC 2 Type 1 and Type 2 reportsHow SOC scoping and audits workSOC consulting/audit independence requirementsCera is the Director of IT Assurance Services and leads OCD Tech's SOC 2 and IT Audit Practices. She has more than 20 years of experience in information security!I've spent most of my career working in the NIST cybersecurity space, so this was very interesting to me!I thought that the SOC 3 report was interesting, especially since many other frameworks don't have an equivalent.What were your takeaways? What is your best SOC pun? Let me know in the comments!Follow Cera on LinkedIn: https://www.linkedin.com/in/ceraadams/OCD Tech Website: https://ocd-tech.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e39&utm_campaign=courses#soc2 #cybersecurity #informationsecurity

Do you use Android at work, but don't really understand it?In this episode Hahna Kane Latonick teaches an Android cybersecurity masterclass for cyber GRC teams:Here are a few highlights from this episode:How the Android project is managedHow Android devices are compromisedThe many steps to update Android devicesMost important steps to secure Android devicesIs Apple more secure than Android?Hahna is the Director of Security Research at Dark Wolf Solutions. Some of her focuses include Android reverse engineering and exploit development. She has been featured on national media outlets including Fox Business News, ABC News, and many others!Too often companies integrate mobile devices at work without truly understanding how they work and the risks involved.Hahna explained these concepts so well! And of course, we had some back and forth on what is more secure, Android or Apple.I really enjoyed this episode and learned more about Android myself! What were your takeaways?Follow Hahna on LinkedIn: https://www.linkedin.com/in/hahnakane/Dark Wolf Solutions Website: https://darkwolfsolutions.com/Android Security Research Playbook: https://asrp.darkwolf.io/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e38&utm_campaign=courses#android #cybersecurity #informationsecurity

Introducing the Penn State Whistleblower.In this episode, the whistleblower explains how he tried to stop Penn State from misrepresenting their NIST 800-171 compliance to the DoD and what he has faced since he blew the whistle!Whistleblower attorney Julie Bracker also shares what the media got wrong in this case and the latest on the Georgia Tech FCA case!Here are a few highlights from this episode:- Hear directly from the whistleblower in this False Claims Act case- What the media got wrong- Recommendations to universities- Advice for other whistleblowersMatthew Decker was the Chief Information Officer at the Applied Research Laboratory at Penn State from 2015 until 2023 and the interim Vice Provost and CIO responsible for all of Penn State from January 2016 until September 2016. Matthew currently serves as the Chief Data and Information Officer at NASA’s Jet Propulsion Laboratory since 2023.It was fascinating to learn that the university assumed compliance with their own AD95 security policy meant they were automatically compliant (at least to some measure) with NIST 800-171. This is a great reminder that the details always matter!Special thanks to Matt for sharing his story with us, and to Julie Bracker for coordinating this interview!Follow Julie on LinkedIn: https://www.linkedin.com/in/juliekeetonbracker/Bracker & Marcus LLC Website: https://www.fcacounsel.com/Connect with Matt on LinkedIn: https://www.linkedin.com/in/matt-decker-cio/Whistleblower's Handbook: https://www.amazon.com/New-Whistleblowers-Handbook-Step-Step/dp/1493028812/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e37&utm_campaign=courses#whistleblower #cmmc #cybersecurity

Confused about Microsoft 365 and DFARS/CMMC compliance?In this episode, I speak with Richard Wakeman, Chief Architect for cybersecurity of Aerospace & Defense @ Microsoft!We discuss the history of the government clouds, the need behind GCC and GCC High, and much more!Here are some highlights:The origins of the Microsoft cloudsWhich clouds support DFARS 7012 complianceWhen will GCC High be FedRAMP authorized?CUI enclave considerationsRichard is a wealth of knowledge, and I have personally benefited from his compliance blog articles since at least 2020!If you are currently operating in the Microsoft cloud or are trying to decide which Microsoft cloud to buy, you won't want to miss this!Were you aware that GCC High isn't FedRAMP authorized yet? What about Microsoft 365 commercial not being compliant with DFARS 7012?Whatever your thoughts are, let me know!Follow Richard on LinkedIn: https://www.linkedin.com/in/wakeman/Microsoft Cloud compliance article: https://aka.ms/MSGovComplianceMicrosoft 365 Roadmap: https://www.microsoft.com/en-us/microsoft-365/roadmap-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e36&utm_campaign=courses

Is your MSP a cybersecurity liability?In this episode, I speak with Brian Hubbard, President of Evolved Cyber Solutions and the MSP Cybersecurity Exchange!We discuss the state of MSP cybersecurity and how MSPCyberX is elevating the security posture of MSPs everywhere!Here are some highlights:Why MSPs are so critical to our nation's securityThe inevitable regulations that will target MSPsMSPs involvement during CMMC assessmentsHow MSPCyberX can helpGRC Academy partnered with MSPCyberX early on to provide CMMC training to its members at a discount! It was great to hear about MSPCyberX's origin story!If your MSP is not a member of MSPCyberX, it is in your best interest that they join!Follow Brian on LinkedIn: https://www.linkedin.com/in/brian-scott-hubbard/Follow MSPCyberX on LinkedIn: https://www.linkedin.com/company/mspcyberx/MSPCyberX Website: https://www.mspcyberx.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Experience questionnaire automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e35&utm_campaign=courses