The Value of Continuous Monitoring, (or “Come in spreadsheet row number 349, your time is up!)



It was a marvelous marketing maneuver! The whole company was literally bubbling with excitement. Market share had already sky-rocketed from 4% to 24% by the simple implementation of this beautiful bottle-cap bonanza.  Promotion, pay-rise, praise from all corners seemed inevitable for this, yes call it that which it is, genius plan! Until… It cost $32 billion. That will sure make you burp!



You may have heard this story before, especially if you are my age. It’s from the ’90s after all – my formative years! It is the story of, what was indeed, a genius plan by Pepsico to grow its market share in the Philippines with a simple competition – a competition “borrowed” from the pages of Roald Dahl’s Charlie and the Chocolate Factory no less! A simple plan… Collect bottle caps from your “Pepsi” all with a magic number inside and on May 25th, 1992, the grand prize winners will be revealed. The prize? $1 Million (please read like Dr.Evil – an equally apt 90’s reference) shiny pesos, or the equivalent of about only $40,000 at the time. Enough, however, to buy one a rather spanking house in the Philippines or a whole lotta Pepsi, at the very least.


“I WON!” “So did I” “And me, too” “And me”!

The country went wild for Pepsi. The success surprised even the Pepsico execs. For an entire year, Pepsi-fever gripped the nation like grandpa gripping Charlie’s Golden Ticket. It was all working out perfectly. It was brilliant, and, it was initially well-executed. Strict implementation processes and security measures were immediately put in place to avoid fraud and any other miscalculations. For example, Pepsico’s suppliers were not allowed to print bottle caps, security codes accompanied bottle caps to eliminate fraud, and Pepsico even took charge of making the only two prize-winning bottle-caps with the magic number “349”. Except, there was a tiny hiccup – pre-burp – due to lack of communication with the supply chain and a teeny-tiny process error that was overlooked and then not monitored internally. Consequently, rather than printing 2 caps,  Pepsico inadvertently created 800,000 prize-winners. It was a happy day in the Philipinnes! Praise Pepsi!


Uhhh, yes, well, but, err, yes, err,  it’s tricky, err, and darned unfortunate, err… sorry chaps?

Upon discovery of the error, not too long after the winning number had been announced on national TV, Pepsico, of course, had an “oops my bad” moment and, long story short, riots ensued, lawsuits came forth, Pepsi ran in the streets, and there was a lotta egg-on-the-face. Not to worry, Pepsico managed to survive, though not surprisingly, it is not the drink of choice in the Philippines! I am a Pepsi imbiber to this day, though I am partial to RC Cola when I can get it – Yea! I said it.


People, Process, TECHNOLOGY!

The GRC moral of this story? Pepsi suffered from point in time issues all the way down their supply chain. From the initial implementation of this ill-fated marketing plan, key steps in that implementation were clearly not monitored, communicated and-or subsequently addressed. Vendors were unaware that ‘349’ was the magic number – perhaps understandable – but to print 800,000 ‘349 bottle caps’ points to a large breakdown in communication and oversight. As a GRC professional, I can say with some certainty that many of us are practicing one or more of the following: we are still working from spreadsheets; our risk evaluation is de-centralized; our governance oversight is decentralized; we are not continuously monitoring our controls, which also means our risk prioritization and information is out of date, now. The point about security measures is that they are just that… measures. Measures need to be measured, monitored, maintained, at all times.



So, should the powers-that-be question your need for a modern GRC solution to centralize, prioritize, and manage all your information from a single pane of glass, you might ask which they prefer? Coke or Pepsi? $32 billion versus $125 per month? And, please share this story with them, but “beware”, you may also want to step back, as this story is likely to cause loud burping!

CyberOne does not spend money on marketing (see article above!) enabling us to provide a cost-efficient full suite, integrated GRC SaaS platform with outstanding training and support for all your security team needs. Starting at $125 per month. Our best marketing campaign is our client’s satisfaction. You can read more about our client satisfaction on Capterra, a Gartner review site. The Power of One begins here.

No bottle caps were harmed in the creation of this article.

This source of this story originally appeared in the LA Times on July 26, 1993.

CMMC Helpful Resources



CyberOne is pleased to provide you with some resources below to help you prepare for and implement CMMC Certification.

Get Certified:

Certification Resources

Useful Information:

CMMC Funding Support for DIBs

CMMC Certification Levels 1-5 explained

CMMC Certification: Where and When to Start

News Resources:

Fedscoop – resource for articles and updates on CMMC, including funding sources, certification steps, and general information.

SmallGoveCon – Legal news for small government contractors

Institutional Resources:

CMMC Main Oversight Body – The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD) provides regular

CMMC Accreditation Body National Conversation Series. These recorded presentations led by the CMMC Advisory Board

(NDISAC) The National Defense Information Sharing and Analysis Center – For information on CMMC implementation at all levels

(DIBSCC) The defense Industrial Base Sector Coordinating Council

National Contract Management Association: NCMA

(NIST) National Institute for Standards and Technology



All you need to know: CMMC Levels 1-5


The CMMC model ensures that DoD Contractors meet the specific certification-level cybersecurity requirements for the data they are handling. There are five CMMC Certification levels, but this in itself is misleading. An estimated 75% of vendors will only need Level One Certification. 25% will need Level Two or Three, and only a small 5% will need Level Four or Five.

Which level is right for you? We explain each of the five levels below. You can also click here to jumpstart your certification process.

Level 1. “Basic Hygiene”

Level 1 covers 17 CMMC model requirements and those set forth in 48 CFR 52.204-21.  Contractors looking to achieve a Level 1 status need to have basic cybersecurity controls in place. These include basic Asset Management, Authentication, and Access Controls, or, frequent passwords changes, unique user accounts, and anti-virus software,  Organizations in this category are more likely to deal with Federal Contract Information (FCI) rather than handling CUI.  There is no requirement for a process maturity rating at this level, however, it’s something to consider. 

Level 2. “Cyber Hygiene”

Level 2 is a transitional step to Level 3 and brings forward the need to implement Nist SP 800-171. This is due to an expanded scope from protecting FCI to protecting CUI.  If you are already implementing Nist SP 800-171, then we recommend that you look for a solution to map your existing controls to CMMC and jumpstart your certification. 

Level 3. “Good Cyber Hygiene”

Organizations seeking to gain Level 3 certification must demonstrate that they have implemented effective security controls and that they have the ability to protect CUI.  This includes compliance with all security requirements of NIST 800-171 and DFARS Clause 252.204.7012. Effectively, Level 3 is demonstrated implementation of all Level One and Two policies and procedures. Demonstrating implementation requires continuous control monitoring. Your spreadsheet is not your friend here!

Level 4. “Proactive”

Level 4 covers pro-active measures to safeguard CUI from Advanced Persistent Threats. These are mostly nation-state sponsored threat actors who are highly dangerous to the nation’s security, often referred to as  APTs. Certification at this level requires compliance with 110 NIST 800-171 Requirements plus 46 other practices across all 17 domains of the CMMC model.

Level 5. “Progressive”

Level 5  is “optimization”. Certification automatically implies that the contractor meets all criteria set by the CMMC including all requirements at Levels 1-4. Organizations must have an advanced or progressive cybersecurity program in place.

For more information on how to get CMMC certified, email us at: or find us here.

Read what our clients say about us on Capterra

10 “more” security tips for working from home

Just recently, I had a conversation with a friend, who works for the U.S. Navy. She is overwhelmed with work as she teleworks from home because of the Covid-19. Her profession can easily be switched to telework, whereas other coworkers can’t, but that is no reason effective guidance cannot be provided. Here is what she had to say…

With the outbreak of Covid-19, we are dealing with an unforeseen occurrence, a black swan event. As a cyber professional, I hope organizations have a Continuity of Operations Plan (COOP) to initiate along with their Standard Operating Procedures (SOP). Many do have such plans, but for others, it is abundantly clear guidance is missing. It is not simply about “putting” the language into a document, “checking” the boxes, and copying off SANS Institute’s website. You need an AFFECTIVE plan than can be INITIATED, UNDERSTOOD and FOLLOWED by others.

My 10 Step Program


Ensure internet connections work. Test your communication portals like Zoom, Skype, etc. Review security and privacy protocols, especially if you have roommates. Just because you are home, does not mean you be relaxed with security protocols. Consistency ensures efficiency. INVENTORY: Your organization should ensure you have access to the type of equipment you need to work remotely. You may need to take note what you have access to and communicate this effectively with management and make request for items you do not have. CLOUD-BASED CAPABILITIES: To ensure feasibility to the Internet, file-sharing, e-mail and unified communications via mobile applications, chat, etc., the right cloud-based tools need to be available. Check them.


As an employee, before reading up on any guides or joining a Team chat, make a commitment to yourself. This means planning, such as ensuring you cleared a space for yourself, not matter how small. Try to create a home office space, even at the kitchen table. This is your spot. Own it. STAY ORGANIZED: Create a personal “to-do list” each morning. Keep track of the time required (i.e. 8 hrs.). Consider creating your own timecard where you note hours spent on each ticket item. Ensure you have breaks and embrace the flexibility of working from home. But, at the end of the day, ensure you meet your objectives. WORK FLEXIBILITY: With being remote, you have flexibility with your start time and end time. Ideally, if doing 8 hours, you should commit to those hours. However, even I will scatter my time throughout the day or make it up on another day. It is all too easy to work during dinner, and before bed.

*Side note: I personally created my own classical music list off Spotify to ensure no distractions. I’m like a squirrel and can get excited about shiny objects, so my music keeps me on track and closed off to distractions.


Hopefully, your company has provided you with the right material to work remote. If not, no worries! Be accountable to yourself. You can ensure the chain of communication work. Some workers feel isolated, so it is important for your organization to maintain some sort of social contact with other employees. I suggest, if you have Office 365 or Zoom, to initiate a weekly Scrum Call at the beginning of the week and end. If this is not in place… be a star and create one or suggest it to management. DELEGATE: Embrace delegating. I’ve often come across employees who struggle with this. OVER-COMMUNICATE: Document everything to ensure colleagues are informed and information does not get lost through digital mail. I also create a Weekly Status Update or WSR (can download templates online) for my weekly meetings. I am amazed how organization and accountability and simple note taking can easily impress people.


Take some time for you! Depending on how long you will be teleworking, being closed off can feel like you have fewer opportunities for training and professional development. With Covid-19, I personally think this is a great time for training! This challenge can easily be alleviated by communication between the supervisor and the employee, as well as effective performance monitoring on the part of the supervisor.