Experts from across FTI Consulting are engaged on a massive, ongoing data governance project for a large global telecommunications client. We recently discussed the matter with key members of the team, Jake Frazier, Steve McNew and Adam Ingber, to understand the key challenges of the matter and the primary regulatory issues the client has sought to address through improved governance.
Frazier: This program was implemented in 2020 as a new set of cybersecurity standards all third-party DOD contractors are required to meet in order to maintain and bid on government projects. It includes a five-tiered set of complex security and governance controls—largely based on NIST standards—and requires contractors to retain third-party assessors to inspect and verify whether they have fulfilled CMMC standards. These include specifically the protection of controlled unclassified information (CUI), which the government defines as data that is sensitive but unclassified. For organizations that regularly contract with the DOD, tens of millions of dollars in revenue are at stake in CMMC compliance. Informally, additional government agencies have indicated potential adoption of CMMC for outside contractors.
As mentioned in the earlier discussion, in order for this client to preserve billions of dollars in government contract revenue, the organization needed to fulfill the new CMMC requirements by identifying CUI in more than 3,500 applications comprised of approximately 7,000 structured databases and protect the information in methods outlined by the government.
Frazier: This is a significant initiative, and the client has re-engaged with us to add more elements to the project as new data issues and risks are uncovered. Broadly, we’re providing expertise across risk management, data privacy, legal and regulatory requirements and leading the implementation of policies, processes, role-based access controls and security measures to bring strong governance and compliance to the client’s vast universe of data.
Ingber: From a technical perspective, much of our early work focused on an application rationalization assessment to defensibly decommission data sources that were redundant or no longer needed by the business. For the remaining applications and databases, we utilized a data protection platform to scan a sample of each database, database schema, table and field, across SQL, Oracle, Hadoop, DB2 and others, to classify data that has potentially personal, sensitive or controlled information. With this insight, the team worked to validate whether the data required protection, what protection method was appropriate (encryption, data masking, tokenization), and what level of access individuals or user bases required.
McNew: We’ve invested significant time in understanding the layout and organizational structure of our client’s environment. In the first stages of doing this, we found 2,000 additional applications that had not been included in the initial scope but needed to be addressed. Our team has used analytics and forensic technology methodologies to understand how the systems operate and determine the web of data lineage between applications to inform remediation efforts.
Ingber: Yes, and the work is continuing. Through identifying and analyzing thousands of applications and databases across the organization, we’ve already helped the client hit its first critical milestone—identifying sensitive data across all systems, defining the protection obligations required by the CMMC, GDPR and other privacy rules, and developing a mitigation path for each. The protections that are being implemented are foundational to fulfilling the new CMMC rules required for the company to preserve its contract work with the U.S. government, as well as ensuring the company adheres to the latest privacy regulations.
McNew: To date, our team has architected and deployed a data governance approach that both supports compliance with the most stringent regulations and remains agile enough to adapt to new, emerging laws and data protection requirements.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
Senior Managing Director, FTI Consulting
Senior Managing Director, FTI Consulting
Senior Director, FTI Consulting