For many government contractors, the CMMC or Cybersecurity Maturity Model Certification is top of mind. From what we’re hearing, businesses aren’t 100% clear on how achieve it.
From an IT perspective, the 4 Pillars For CMMC Compliance offer helpful guidance. This article digs into Pillar 3: Security in DNA. This pillar is critical because CMMC approval hinges on IT hygiene and proper cybersecurity.
Need a refresh on the other pillars? Find them here:
How IT Standards Can Make Or Break CMMC Compliance
Why A Mature Service Operation Matters for CMMC
Project Management & CMMC: What They Don’t Tell You
Why Does The CMMC Emphasize IT Hygiene?
There has been an alarming number of government contractor security breaches, hacks and theft. Here are a few majors ones in the last year or so:
- Access to Virginia government contractor sold by Russian cyber criminals
- “Team Snatch” demands ransom; leaks contractor information on the dark web
- DISA data breach exposes personal information of 200,000 people
NIST compliance was meant to alleviate those issues, but it’s falling short. So the Department of Justice added the CMMC to its regulatory body.
With clean IT hygiene and proper cybersecurity, the risk of breaches, hacks and theft decreases significantly.
What Does Proper Cybersecurity Look Like?
When we discuss cybersecurity with businesses, we emphasize security in the DNA. This means a top-down, bottom-up, all-around security-minded strategy. From controlling and recording who can enter the office, to thoughtful admin controls on computers to regular security training with employees, and more.
When building a solid security strategy, businesses include the following protocols:
- Strict tracking & reporting
- Secure data encryption
- Admin access monitoring & management
- Thorough background checks on all personnel
- Two-factor authentication user management
How Can My Business Improve Cybersecurity?
Improving cybersecurity requires a comprehensive look at business operations. It involves employees, processes and technology. Let’s be clear, it’s not easy to see holes in your own business. Here are some starting points suggested by our experts:
Do:
- Use different passwords for different sites
- Setup two-factor authentication on all accounts
- Double check everything. Be suspicious of emails, links and phone calls
- Commit to hourly data backups. Daily isn’t enough.
Don’t:
- Store your passwords in a folder, or anywhere easily accessible
- Insert USB thumb drives into a computer. Instead have the person email the document/photo/etc. to you.
- Reply to suspicious emails, even if it comes from someone you trust (boss, accounting, etc.). Call the person who sent it to confirm.
Need Another Perspective? How To Vet IT Providers
These are great starting points, but sometimes another perspective is needed. For businesses looking for outside IT support, use these questions to vet IT companies
- What’s your current password complexity/expiration policy
- What’s your user termination policy? (It should be documented on paper)
- What compliance certs do you hold (HIPAA, SOC, PCI DSS, SSAE)?
- How often are data backups performed and how often does a test restore occur? (Important with the rise of malware)
- How are issues/resolutions documented? (Knowledge should be shared between team members; no kingdom keeper)
- What security updates get installed, when and what type of pre-installation vetting?
What if My Company is Working Remotely?
No problem. Effective cybersecurity can work from home. Here’s what to do:
- If you’re working with a managed service provider, ask them for tips and resources
- Create a training session/series for your staff
- Consider penetration, or pen, testing
- Break down training by department. For example, talk about mobile banking malware with accounting.
- Set rules such as:
- Admin controls (who can access what)
- Usage controls (Who can use work equipment i.e. no kid’s games)
- Password managers
- Prohibited websites
Cybersecurity & CMMC Compliance
With proper IT hygiene and effective cybersecurity, businesses can stop cyberattacks and prevent data loss/theft. They’ll also be one step closer to passing the CMMC audit. It all starts with a well-executed IT strategy.
If you’re unsure about your current IT strategy around CMMC, we may be able to help get you on the right track. Let’s talk about it.
How Can We Help You?