CMMC is a wake-up call, but if your competitors are sleeping on cybersecurity, don’t wake them
Good news for small manufacturers looking for ways to stand apart from the competition. By delaying the launch of the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense may have actually done you a favor. They’ve handed you a golden opportunity to zig when everybody else is zagging.
Think about it. If your competitors are small and mid-sized businesses that supply the DoD, their concerns aren’t too different from yours. They’re probably aware that CMMC requirements are coming, but that’s an IT issue, so it’s not a top-of-mind concern-especially compared to labor shortages, supply chain issues, inflation, and so on. They know that cybersecurity is important, but it’s tangential to operations. Like having locks or alarms on the building. Sure, achieving a CMMC level 1 or level 2 certification requirement is coming, but it doesn’t seem urgent. Whenever a deadline gets close, there is another delay. It is as if there were a regulatory hurricane forming somewhere out in the open ocean: It might be headed our way, so we will keep half an eye on it and hope it dissipates or turns before making landfall.
As everyone knows, waiting until the hurricane has knocked out a good part of the local power grid is a poor time to go shopping for a generator.
Eventually, and well before the deadline, CMMC compliance requirements will make their way into more and more federal and DoD contracts. Clearly, those companies that have moved toward CMMC compliance already will have a much easier time certifying, but compliance is not the only business benefit to cybersecurity. As strange as it might sound, the CMMC certification itself might be the least important-for now, anyway.
What actions are we advocating? Understanding, documenting, and establishing basic protection of your digital environment and processes before most of your competitors do. That sounds like a lot, but it’s essentially taking an inventory, identifying the most important items and biggest threats, and safeguarding them appropriately. This also gives you CMMC level 2 certification; something that we at MX2 Technology can help you achieve.
Instead of looking at CMMC compliance as yet another set of regulations, we encourage our clients to see it as a description of baseline security-similar to the way ISO sets out basic quality standards. You might be ISO certified already, without regulations telling you to be. You do it because it’s a good practice, and your customers expect you to have it.
CMMC is not much different. A CMMC certification shows your customer base that you have taken the steps necessary to protect their data and your own operations. The protections necessary for CMMC Level 1 certification will be all that most of you will truly need. They amount to basic risk avoidance, not that different from requiring hearing protection, safety glasses, or safe processes in your production environment. We can take potential customers on tours of the shop floor, but not the digital subfloor, so to speak, on which operations rest.
Because we can’t visualize our networks, it’s hard to see risks in them-until something happens. But what if we could see? Imagine your budget spreadsheets, payroll information, confidential client files, or other mission-critical documents were only available in hardcopy. Would you keep them piled in front of an open window, stack them next to a fireplace, leave them in the hands of a disgruntled employee, or give them to someone you bumped into on the street to deliver to your customer or accountant? If you saw any of these things, you’d stop everything and make sure these key items were locked in a fireproof, water-tight safe to which only you and a few trusted staff had the combination.
What we’ve described might sound ridiculous, but we assure you it is not. We see these issues regularly on networks of companies large and small, but that is because we can see in the digital environment in a way most manufacturers simply cannot.
Right now, as you read, do you know where all your mission-critical software, documents (including email attachments) are? Do you know who has access to any or all of them? Do all your people know how to keep them safe?
Your competitors will likely see the delay in CMMC requirements as a reason to relax. Use the extra time to your advantage and get a security assessment done to check on basic cyber hygiene and your organization’s risk profile against cyber threat.