3 Steps to CMMC

You can’t say you didn’t know it was coming. If you are one of the nearly 300,000 businesses that serve the DoD, by now you’ve heard that you’ll eventually be required to hold some degree of Cybersecurity Maturity Model Certification (CMMC). Will you be ready?

You can’t say you didn’t know it was coming. If you are one of the nearly 300,000 businesses that serve the DoD, by now you’ve heard that you’ll eventually be required to hold some degree of Cybersecurity Maturity Model Certification (CMMC). Will you be ready?

Which CMMC level will you need going forward?

The majority of small to mid-sized contract and subcontract manufacturers will need Level 1 CMMC certification. It’s called “Foundational” for good reason, but more on that later. Level 2, or “Advanced,” is for those handling Controlled Unclassified Information (CUI). A third level, “Expert” will exist for the 500 or so companies that work on the most sensitive projects. Whatever the level, your company’s, cybersecurity readiness will be assessed and found either compliant or not as a precondition of working with the DoD.

Because Level 1 is Foundational, it applies to every manufacturer in the defense industrial base. But even companies that are not bidding on government contracts should still focus on strengthening their cybersecurity profile. CMMC offers a clear model for doing so.

After all, CMMC is more than just a certification. It’s a way of attaining and applying the knowledge you need for your business to thrive, now and in the future.

What do you need to know now?

While the specifics of CMMC 2.0 and its accreditation process are being worked out, there are a number of things proactive companies can and should do now to ensure a faster, smoother, and less expensive certification process down the road-you can think of these as baseline cybersecurity . These are the same steps we recommend to our clients, by the way. The first two do not require a great deal of IT expertise, and at the same time, they strengthen, protect and improve the efficiency of your organization.

First, you need to know what software and which versions of it are running on your network. This might require some legwork. We use special “sniffer” software to test client networks, so they can have a full understanding of everything installed on any machine connected to the network—including your production equipment and servers to PCs and tablets. Often company owners and their in-house IT experts are surprised by what we find: very old and insecure operating systems, pirated software, older versions in need of security patches, and more.

Small and mid-sized companies tend to grow organically, adding machines and software to meet immediate needs, and these devices tend to stay on networks. Generally speaking, the older the software, the more vulnerable it is. Hackers and other bad actors are not just technologically sophisticated, they are also smart. They know where to look for vulnerabilities in your network. If I were a hacker who wanted into your business, your outdated software is the first place I’d look.

Second, and related to the first, you should document exactly what data— internal and external, what critical software, and what intellectual property you want to protect, and determine who in the organization has access to them. With this information, you can make better-informed decisions about who should have access. You might find just one person has access to certain mission-critical data, which is a significant risk.

The third step you might need some help with, but having done the first and second steps will make this one easier. You need to identify which systems are most vulnerable to compromise and isolate them from the larger network. A quick review of what is open on the firewall is a good place to start. For example, the equipment with obsolete or unsupported operating systems we discussed earlier. If it is tied into the larger network, it’s a point of vulnerability. It’s an easy and inexpensive process to create stand-alone networks that allow you to operate the exact same way you have been, without compromising the entire network. Upgrading production equipment can be a back-breaking capital expenditure—by isolating it you can continue to use older technology while mitigating the risk to your systems and data.

I do something similar in my own home. To protect my children, I keep their devices on one network. Because I’m still not sure what vulnerabilities my internet-connected appliances might create, I have them on their own networks, and so on. It’s like having watertight compartments in the hold of a ship. If one part of the hull is compromised, the whole ship stays afloat.

This security assessment process might require a couple of hours of consultation from a credible cybersecurity expert, but it will be money well spent and bring your business closer to compliance whenever CMMC requirements are implemented.

Share the Post:

Related Posts

HELP US, HELP YOU

Ready to find out what true professional IT looks like? Reach out today and get started with a free consultation so we can begin to create an IT partnership that will push your business forward.