Virtualization Technology News and Information
VMblog's Expert Interviews: GigaTrust Talks Community of Interest, DoD and NIST 800-171

interview gigatrust nist 

With the NIST 800-171 deadline fast approaching on December 31, 2017, GigaTrust announced the availability of the first and only "community of interest" deployment of GigaCloud.  This is a fully-managed document and email security ecosystem that is dedicated for DoD suppliers required to meet strict security compliance standards when sharing documents and emails amongst themselves and the DoD.

To learn more, I spoke with Brad Gandee, VP of global sales at GigaTrust.

VMblog:  To kick things off, can you provide us a little detail about your background? 

Brad Gandee:  I joined GigaTrust in March 2007 and am responsible for the company's worldwide sales organization with more than 20 years of expertise in digital media security and protection technologies, and additional expertise in business strategy, market research, market development, and product management.

Prior to joining GigaTrust, I was the technical evangelist for ContentGuard, a leading ERM technology development company, where I was responsible for the company's strategy in the standards arena and the licensing program to the mobile telecom industry. Prior ContentGuard, Brad was President of DeskGate Technologies, which offered proprietary technology for packaging, distribution, and tracking of digital content.

I've served on the Boards of Directors of the Internet Streaming Media Alliance and the MPEG Industry Forum, and have been a frequent speaker at digital media industry conferences. I've played a role in the development of XrML, eXtensible rights Management Markup Language, the baseline technology for the Rights Management Services platform available from Microsoft. I hold a BA from the University of Pennsylvania and an MBA from the Wharton School of Business.

VMblog:  And how about a quick overview of GigaCloud?

Gandee:  GigaCloud is GigaTrust's fully-managed SaaS (Software as a Service) offering providing secure endpoint document protection-delivering email and document collaboration services anytime, anywhere, on any device and any platform with real-time data analytics, reporting and administrative tools. GigaCloud is the first and only secure email and document protection, consumption, and collaboration service that is an easy-to-use, easy-to-deploy cloud service powered by the Microsoft - Active Directory Rights Management Services (AD RMS) security ecosystem.

VMblog:  Can you give readers an overview of the recent announcement?

Gandee:  The "Community of Interest" is GigaCloud's fully-managed document and email security ecosystem that is dedicated for Department of Defense (DoD) suppliers required to meet strict security compliance standards when sharing documents and emails amongst themselves and the DoD.  

Following the successful launch of GigaCloud in March, 2017, GigaTrust is now addressing specific vertical industry customer demand for a secure document collaboration solution that allows organizations with a shared interest - including government suppliers, healthcare organizations and financial services companies such as banks - to share information with one another safely and securely, allowing them to maintain compliance and simplify business processes. One of our focused vertical offerings is a special instance of GigaCloud for DoD supply chain participants that are addressing the need for secure transfer of sensitive information between companies.

VMblog:  Why is meeting the NIST 800-171 requirements vital to the security of our nation?

Gandee:  Meeting the NIST 800-171 requirements is both vital to the security of our nation and provides security for organizations' valuable assets and data. A stunning example for the need for information security throughout the supply is the infamous Chinese knockoff of the F35 - the J-31. There has been much speculation that the J-31 was not developed from scratch by the Chinese, but indeed was the result of data theft by the Chinese of design plans and specifications of the F35. 

VMblog:  What specific controls do you meet?  How many are there?

Gandee:  GigaTrust has demonstrated a commitment to the DoD supplier community and recently partnered with Forcepoint and ICM to bring together best-of-breed security products tailored for NIST 800-171 technology controls. Together, GigaTrust, Forcepoint and ICM are making NIST compliance faster and easier, with a rapid five-day implementation.

GigaTrust alone, has fulfilled 26 requirements out of the 109 requirements that must be fulfilled, which include: the limiting of information system access to authorized users or verifying and controlling connections to and use of external information systems. It's worth noting that all of the requirements don't require technology; Some are strictly policy problems, which GigaTrust can't solve.

VMblog:  Can you walk me through how DoD suppliers will use this offering?  A real-world example?

Gandee:  The ‘community of interest' GigaCloud option will initially be rolled out for the DoD supply chain. These organizations share a common challenge with a requirement to demonstrate compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, by December 31, 2017. Now, the dedicated GigaCloud ‘community of interest' deployment will allow DoD suppliers to securely collaborate with one another, while ensuring regulatory compliance.

VMblog:  You recently partnered with Forcepoint to make this available - what is the implementation process for this?  And is there support through the process?

Gandee:  Together, GigaTrust, Forcepoint and ICM are making NIST compliance faster and easier, with a rapid five-day implementation. Because this is a cloud-based system, the implementation is easier than ever. It's a simple process. We enable each company to assign admin responsibilities to the own personnel. From there, they can enable both internal employees as well as users at their external business partners, up or down the supply chain.  Once enabled each user can protect email and documents that they exchange complete with data collection about all interactions people have with the information. This tracking, reporting and alerting capability within the GigaCloud platform is key to maintaining compliance with the NIST 800-171 controls. 

Forcepoint is providing next generation firewall technology to create a secure enclave within each company's network as well their DLP technology for tracking the sensitive information as well. Our other partner, ICM is providing deployment planning and implementation as well as training and custom configuration services for the entire bundle.

VMblog:  How would you add a new member to the community?  Would this cause potential for data leakage?

Gandee:  Individuals must be verified with a DoD Commercial and Government Entity Code or CAGE number. The CAGE Code, is a unique identifier assigned to suppliers to various government or defense agencies, as well as to government agencies themselves and various organizations. This lets us know that they are a legitimate supplier to the DoD. We're taking precautious measures with vetting these outside parties so no one can forward these. Once you validate CAGE number you can self-provision within the community. 

VMblog:  Do you think other companies are taking these NIST 800-171 requirements seriously?

Gandee:  Businesses cannot move forward if they don't take these requirements seriously. While there are a number of different ways to meet these requirements, there is still a lot of confusion about how compliance will be assessed or what the criteria are for successfully going through an audit.  However, the potential penalty is clear - companies not in compliance may be denied the ability to sell their products or services to the DoD.

VMblog:  Finally, how will this announcement impact the global DoD supply chain community?

Gandee:  It is hoped that this new set of requirements in the DFARS will tighten up security for the entirety of the DoD supply chain now and eventually for all suppliers to the government. That's right, it is currently the plan include these controls in the FAR as well.  This means that all suppliers to government both on the DoD side as well as civilian will need insure the safe handling, protection and tracking of the CUI they have or are exposed to.  There still remains the possibility of some disruption within the DoD supply chain if critical suppliers are deemed non-compliant and temporarily blocked from doing business while they take corrective action.


Published Wednesday, November 29, 2017 8:01 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2017>