What CMMC means for you

Whether you’re a defense contractor, or a supplier to defense contractors, the Cybersecurity Maturity Model Certification (CMMC) is likely to have a direct impact on you…. And soon.  Similarly, Managed Service Providers (MSPs) supporting sub-contractors are already seeing interest in CMMC skyrocket.

The NIST 800-171 cyber security standard is already a requirement for Department of Defense (DoD) contractors (DFARs).  CMMC extends NIST 800-171 to include certification.  There are three important CMMC recent developments:

1) Prime contractors are starting to enforce NIST 800-171 compliance, even in advance of CMMC.

While the Defense Federal Acquisition Regulation Supplement (DFARS) has required NIST 800-171 for at least five years.  Enforcement has been lax.  Many subcontractors simply put together a Plan of Action and Milestones (POAM), and left implementation behind.  Now primes are starting to enforce compliance themselves, asking for completed security questionnaires and validation.

If you have a DoD subcontract, you’ll likely start to see compliance terms in your RFPs and contracts, along with auditing rights.

2) The DoD is phasing in a self-reported score on each NIST 800-171 control. Self-reported compliance is getting teeth, but still selectively.

Similar to the prime contractors enforcing NIST 800-171 compliance, the DoD itself is tightening the reigns.  A CMMC Interim Rule was recently issued and will take effect on November 30, 2020.  This rule requires defense contractors to self-report their NIST 800-171 compliance for select contracts, using a specified scoring methodology. 

You will want to check your RFPs to see if “DFARS 252.204-7012” is included.  If so, and if you want a chance to win, you will have to self-report a compliance score. Contract awards that include this clause will be subject to previews of the reported scores, and perhaps audits.

If you have a DoD contract, CMMC may be coming sooner than you might think.  Fortunately, some funding for compliance may be available or refundable through the contracts.

3) It appears CMMC will expand beyond the DoD, to all federal contracts.

Already the General Services Administration (GSA) has started advising their suppliers to prepare for CMMC.  Similarly, the Department of Homeland Security appears to be heading towards adopting CMMC.  As more federal contracts head in this direction, look for states to follow suit.  While a few states may choose to develop their own standards, most will be oriented to use what’s already developed and gaining momentum.

The CMMC buzz has accelerated around CMMC as suppliers and their IT partners prepare for this major cyber security requirement.  Many MSPs are readily capable of implementing the technical controls associated with CMMC.  However, few are prepared to support that implementation with the over-arching security programs and administrative controls that include governance (policies) and compliance audits for compliance.  If CMMC is entering your world, feel free to reach out for a consultation.

Avoid Revenue Friction

Are Security Questionnaires & Requirements in RFPs and Contracts Creating Revenue Friction?

It’s a story we hear often. Your sales team gets a prospect all the way to the closing point, and suddenly a security questionnaire is required. The sales person can’t fill it out, so they send it to the Information Technology (IT) group. The IT group can address half the items, but the other half are policy or contractual issues. They send it to Legal or Human Resources (HR). More friction. More delay.Security is not a technical issue, it’s a human issue
Meanwhile, the revenue is stalled until you can work through each component, and identify which “control” aligns with which “requirement”. And every effort the sales person puts in to expedite the process, and navigate the response through multiple departments is time lost from their core job: Selling.
It’s enough to drive the sales person… and the executives, crazy. It’s what we call“Friction” in the revenue pipeline.
Why is this happening more and more? 
Because increasingly our clients are facing regulations and addressing their own security vulnerabilities. Whether it’s HIPAA, GDPR, PCI or CCPA, the regulations increasingly are passed through to service providers and vendors in the supply chain.
Sales Friction  
What’s a sales leader or business owner to do? Start by identifying the baseline security policies and procedures and creating a link between the most common requirements and the corresponding security control. By automating a substantial part of the process this pre-designed security response not only reduces the friction, but it becomes a reusable asset. As new questions or requirements come through, update and improve the process, thereby accelerating revenue recognition, and keeping the sales team focused on selling. Does any of this resonate with you and your sales team?

Managing Your Employees’ “Return to Office” Process

Governments at all levels are evaluating their timeline and policies for lifting quarantine restrictions.  Similarly, business owners and executives should be planning now for how they will proceed with returning employees to the office (RTO).

The shift to working remotely was very abrupt and rapid.  Fortunately, we have a little more time and consideration to manage the return to the office.

Like business resiliency plans, bringing your employees back to the office, and re-opening your business requires planning and execution.  It’s a multi-disciplinary approach, crossing functions such as:

  • Communications – Internal and external
  • Human Resources
  • Information Technology
  • Legal
  • Management

The processes and policies that we define now are not without risk.  We have to respect our employees and customers, but we must also consider meeting regulatory requirements, as well as limiting liability and legal risk.  Having written policies is key.  Here’s a couple primary considerations:

  • What source will trigger your “Return to Office”?  CDC, State, Local?
  • Is the RTO comprehensive across our employee base, or incremental?  If incremental, what is the criteria and timing
  • What safety and preventive measures will we put in place, and how will they be enforced?  Masks, temperature checks, distancing aids and signage
  • How do we balance information sharing with privacy for employees who get sick?
  • How do we manage outside vendors, visitors, and other non-employees?
  • Are all our plans reviewed for regulatory and legal compliance?

Like most formal business processes and plans, we should follow definitive steps:

  • Identify requirements and vulnerabilities
  • Develop plans and policies accordingly
  • Deploy processes and resources to support the policies

Managing the process well is a key element in keeping the employees and the company safe and secure, and sustaining our brand and reputation.

Phishing Your Remote Workforce

in Today’s Changing Business Environment

We’re several weeks into our new work-from-home environment. For many workers and businesses, working remotely is commonplace. Yet, most businesses are now supporting a far greater percentage of the workforce working from home (WFH) than ever before. The shift to WFH, accompanied by a broader set of dramatic workforce changes has opened new opportunity for bad actors to exploit a key cybersecurity vulnerability: Phishing your people.

Same as it ever was- People are your soft target

Phishing attacks remain a key threat, only now bad actors are using the current whirlwind of terminology and change to their advantage. Our WFH workforce is rapidly adapting to new technologies, new applications, and new policies.  This creates a huge level of uncertainty, that is ripe for exploitation. The cyber criminals are using all the new terminology in their rapidly evolving and sophisticated phishing attacks.  

Targeting the uncertainty around new technology and applications, phishing expeditions offer help with setting up your work-from-home access, or accessing your zoom meetings.

Similarly, they are camouflaging their phishing behind “Covid Bait”, including posing as the CDC or WHO, or local health agencies. 

And now with new government economic relief packages emerging, they are promising to help secure financing, aid funding, and finding employment.

People have always been among our biggest vulnerability in securing our critical IT infrastructure. The prescription for keeping your organization safe is similarly the same, but needs to be refreshed and updated to the current environment.

Audit, Plans and Policies, Processes and Technology

  • Audit to determine your vulnerabilities
  • Develop plans and policies to address the vulnerabilities
  • Deploy processes and technology to support the policies.

For the latest wave of phishing attacks, that means reminding your employees of your policies. If you don’t have policies, develop them. Be sure they are aware and cautious of the new attacks cloaked in today’s terminology. Don’t click on a link or an attachment from any unknown source. Verify the source, and ask for help if anything looks suspicious. Report suspicious email based on your company policies.

Few of us anticipated a global pandemic would  resulted in a huge percentage of the workforce working from home and become,a potential threat to our business continuity. Now that the pandemic has triggered our business continuity plan, , be sure to capture the lessons learned and document them in your security and business resilience plans.

Need help with any aspect of your information and data security audits and plans? Let us know.