How eFortresses leveraged Cocoon Data to streamline CMMC training and implementation processes safely and securely for HISPI and eFortresses CMMCSCORECARD service
Taiye Lambo, the founder of eFortresses and the non-profit Holistic Information Security Practitioner Institute (HISPI) is a cybersecurity leader, socially-engaged entrepreneur and virtual CISO with over 30 years of information technology experience across 4 continents.
When Cocoon Data originally approached eFortresses about using their CMMCSCORECARD service to develop a roadmap and prepare Cocoon Data for their planned CMMC Certification, neither Taiye Lambo nor Cocoon Data’s Richard Matthewman realised at the time that this initial connection would lead to such an important ongoing strategic partnership between eFortresses and Cocoon.
Taiye Lambo shares the story behind the collaboration between eFortresses and Cocoon Data and the reasons why eFortresses decided to leverage Cocoon Data’s secure storage and collaboration tool for its CMMCSCORECARD service to receive objective evidence of CMMC Processes, Activities and Practices.
Use Case 1 – Using Cocoon Data to Protect and Enforce NDAs for CMMC Course Content developed by HISPI
Cocoon Data’s Richard Matthewman initially reached out to Taiye Lambo to enquire about using the eFortresses CMMCSCORECARD service to prepare Cocoon Data for their planned CMMC assessment towards the end of 2020.
“It all started on LinkedIn,” says Taiye. “Once I realised Richard was from Australia, I definitely wanted to talk to him, so I set up a call and we just hit it off. When Richard explained the concept of Cocoon Data’s Cocoon Data with me, I was immediately intrigued. I had never heard of Cocoon Data, but I really wanted to try it out for myself.”
“It just so happened that I had at least one immediate use case for the product. At the time, my non-profit Holistic Information Security Practitioner Institute (HISPI) was very close to being approved by the CMMC Accreditation Body (CMMC-AB) to become a Licensed Partner Publisher (LPP). In fact, HISPI was one of the very first 11 organizations to be approved to develop and provide CMMC training content on behalf of CMMC-AB.”
Taiye held an HISPI webinar to provide an overview of CMMC, which Richard and about 100 other participants attended in September 2020. The webinar was a call to action, asking participants to help HISPI review their CMMC course content. The participants in this HISPI webinar that responded to the call to action, had to sign an NDA before they received the CMMC Course content, but Taiye was also looking for a way to control exactly who had access to that content to prevent his competitors from seeing this proprietary and confidential material.
“After learning about Cocoon Data, I decided to participate in the free 14 day trial Cocoon Data offers and then leverage it as a way of ensuring the PDF documents were “view only”. Cocoon Data proved to be a very good way of controlling access – in fact, it was brilliant!”
“Cocoon Data allowed me to safely share the course material with the participants, but they could not download, print or even take a screenshot and share this proprietary and confidential material, because Cocoon Data automatically imprints a digital watermark that cannot be removed or changed.
“Cocoon Data even helped me weed out any competitors who may be trying to snoop. After I explained that I was using Cocoon Data and made them sign an NDA, one of the participants who I had my suspicions about never logged into the Cocoon Data platform once they realised Cocoon Data prevented them from downloading, printing or taking screenshots.”
“I don’t know of any other file sharing competitors to Cocoon Data who can restrict “view only” access by location, time, etc. Right from my very first trial of Cocoon Data, it worked really, really well.”
Use Case 2 – How eFortresses used Cocoon Data to gather evidence, report and share for the gap analysis for Cocoon Data’s CMMC Certification Readiness.
After Taiye’s initial trial of Cocoon Data to protect his NDA for the CMMC Course Content developed by HISPI, he decided to also leverage Cocoon Data to securely gather evidence, report and share updates for the gap analysis eFortresses was conducting for Cocoon Data’s CMMC Certification Readiness using eFortresses CMMCSCORECARD service.
“Cocoon Data engaged my company eFortresses’s CMMCSCORECARD service in mid-September with a 30 day timeline to complete the gap assessment for their CMMC certification readiness and because of COVID, the assessment had to be 100% virtual.
“With the Cocoon Data stakeholders located around the world in the US and Australia, we had to leverage Zoom to do some of the assessment workshops, as well as share all the data online – once again, Cocoon Data was the platform of choice and proved to be the perfect tool for the job. I insisted that no files would be shared via email or any other platform – only Cocoon Data was allowed.”
“I felt that if Cocoon was trying to become CMMC compliant, the last thing I wanted was the reports being on the internet and being hacked – we needed to treat every file like Controlled Unclassified Information (CUI), which Cocoon Data’s Two Factor Authentication for every individual file enabled us to do.”
“We used all of Cocoon Data’s access controls, apart from geofencing, which meant at every point, I knew exactly who had access to the files and I could track all downloading, forwarding and printing of files. I could also disable the access to any file at any time.”
“Cocoon Data was easy to set up, easy to implement and easy to use in our role as auditors and assessors for Cocoon Data’s gap assessment for CMMC. I immediately realised how it would help solve many of the problems faced by fellow auditors and assessors.”
Cocoon Data for Auditors and Assessors
In his role as assessor for Cocoon Data’s CMMC Certification Readiness, Taiye uses Cocoon Data to gather evidence, report and share progress. He explains how Cocoon Data’s features help solve many of the problems faced by auditors and assessors.
“The main challenge assessors face today is being able to conduct their assessment in a timely manner AND securing assessment related files in a way that they as Assessors don’t become a weak link for their customer. With Cocoon Data, you can benefit from the speed, convenience and ease of accessibility of sharing in the cloud, without compromising the security of any files.”
“You don’t have to worry about exposing your client to additional risk because with Cocoon Data’s Two Factor Authentication and location, time and user-based controlled access to sensitive documents, Cocoon Data is built for security rather than just functionality.
“However, that being said, I really do believe that ease of use is the biggest selling factor – Cocoon Data is just so simple and easy to use, but it also comes with a lot of bells and whistles that you can use if you need to.
“Auditors can create Cocoon Data folders and invite individual process owners to securely upload control evidence to these folders. Collaborators can report work, share meeting notes and deliverables for assessment through Cocoon Data. It can also be used as a document repository because all assessment related files are treated as Controlled Unclassified Information (CUI).
“The individual encryption key processes are transparent to the user – the Two Factor Authentication is seamless, and I never had to be prompted.”
“One of the things I love the most about Cocoon Data is that I don’t have to bring my techie hat!”
Cocoon Data for Virtual CISO’s
“Before I started using Cocoon Data as a virtual CISO, I had an experience with a client who went through ISO 27001 re-certification,” explains Taiye. “They were trying to raise money, so they went through a due diligence audit and they were not comfortable sharing their financial information with external auditors, so what they did was extract the front page of the due diligence audit report as evidence of an independent review of their information security program.”
“Although I had done an independent review of this client’s information security program at the beginning of my engagement, they weren’t allowed to use my own assessment reports as objective evidence of an independent review since I was their virtual CISO, but they could have used Cocoon Data to give the external auditors to “view only” access to the due diligence audit report during the audit without giving them the ability to download and also use Cocoon Data’s time-limited controls to restrict the length of access.”
“I am now recommending Cocoon Data to all of my virtual CISO clients, because it solves a common problem if they have concerns with sharing of sensitive information. In the past, they could sign a NDA, print out a PDF and allow third parties to read sensitive information in a locked boardroom, but now, especially with COVID, they cannot print out and share in a boardroom with a signed NDA.”
“Cocoon Data helps virtual CISOs to implement cyber security policies because it provides easy, secure and time-based access to non-public policies and it can also be used as a share point for restricted policies.”
“Sharing personal information is another huge area where Cocoon Data can really help. For example, background checks can contain very sensitive data, such as social security numbers, dates of birth, medical history, home address, etc. With Cocoon Data, the admin or HR person can share sensitive files without the IT admin potentially having access to the information and the person the information is shared with can be time restricted and one time only.”
“Most companies outsource background checks and from what I have seen 9 out of 10 times, sensitive background check information is sent by email. Cocoon Data secures this highly sensitive data and also ensures independence and full audit trail.”
Cocoon Data’s Integration with eFortresses CMMCSCORECARD SaaS platform
Cocoon Data is now being integrated with eFortresses CMMCSCORECARD SaaS platform as an additional option to Microsoft SharePoint. Clients using the CMMCSCORECARD SaaS platform will now have a simple and secure way to upload sensitive objective evidence with each document having its own unique encryption key, eliminating sending the evidence via email or being uploaded onto a single key database.
And Taiye is incredibly excited about the benefits for his clients.
“Ease of use, secure design, privacy by design, ISO 27001 Certification, CMMC Certification Ready… Cocoon Data is an architecture that enables scalability.”
“Cocoon Data also helps enforce policies – multi access controls can be applied to a classification or documents to allow users to send a secure document without having to be concerned about complying to policies because Cocoon Data takes care of it. Cocoon Data enables checking of all the boxes for the relevant critical controls in ISO, NIST and CMMC, etc.”
“Cocoon Data stores your data right here in the United States securely in AWS GovCloud.”
Why eFortresses decided to “dogfood” Cocoon Data
As a strategist, Taiye firmly believes if you’ve got a product and you’re trying to take it to market, it’s important to position it in such a way that you become a customer – in other words, you need to first “dogfood” your own product.
“Dogfooding is eating your own dog food,” explains Taiye.
“If you’re building a product, use it yourself so you become your own raving fan first. This is one of the lessons I learnt when my team at eFortresses started helping Microsoft to build their security and compliance framework for the cloud 14 years ago. Before Microsoft launches any product, they have already used it themselves extensively.”
“So when Cocoon Data signed up as a customer for eFortresses CMMCSCORECARD service, we decided to also sign up as a customer to use Cocoon Data for both HISPI and eFortresses. Cocoon Data dogfood our CMMCSCORECARD service and we also dogfood Cocoon Data’s product, Cocoon Data.”
“For me, security is about people, processes and technology. I never vouch for technical products because although I have a technical background, I’m a big proponent of investing in people and processes more than investing just in technology.”
“Just because you have a tool doesn’t mean you know what to do with it. A fool with a tool is sometimes a bigger fool, but once you have the right people and the right training processes, then it makes sense to give them the tool, but the tool can’t replace the human.”
“Before I tout a tool, I want to know that I’ve used it and that it solves a real business problem. Once I started using Cocoon Data, I was sold…I was really, really sold on the value.”
“Cocoon Data is a very simple concept – but the simple solutions are the best. It’s the Keep It Simple Stupid philosophy – if I need a PhD to run the tool, it is probably not the right tool.
“What Cocoon Data does so well is that it takes out the human element that can lead to accidental data breaches. At HISPI, for the past 15 years, we have been doing extensive research into data breaches and we know they are mostly due to the weaknesses of people and processes.”
“And as far as eFortresses and HISPI are concerned, why would you file share when you can Safe Share instead?”