As a small business, you have an area of expertise, and then there are a lot of departments where you just don’t have the manpower or bandwidth to give it adequate consideration. That is certainly the case when it comes to concerns like payroll, accounting or HR. Now consider how significant your records are and how you keep and secure your computer documents and policies. The security of your organization’s data and that of your clients is going to be essential to your survival. One data spill can shutter your doors, ruin your reputation, and cost you staggering fines. Now more than ever, businesses do not have the luxury of ignoring the implications of inadequate data management and security.
What It Means, and Why
The recent emergence of the Cybersecurity Maturity Model Certification (CMMC) initiative, which effectively builds off of the tenets of the DoD’s existing DFARS 252.204-7012 regulation requiring contractors to at a minimum “self-certify” their implementation of proper security practices, essentially ups the ante for its Defense Industrial Base by now independently verifying that they have the proper controls in place to protect the government’s data before doing business with them.
Translation: If you currently do work for the DoD or plan on doing work with them in the future, from mowing the lawn to handling freight, you have some digital hygiene to do – NOW.
In response to the growing numbers of cyber-attacks, the CMMC initiative has updated its requirements. An interim rule that takes effect November 30 states that there is an “urgent need for DoD to immediately begin assessing where vulnerabilities in its supply chain exist and take steps to correct such deficiencies.”
The rule in the Defense Federal Acquisition Regulation Supplement (DFARS) requires defense contractors to undertake specific data security corrections through the DoD’s Basic Assessment process, which are submitted to the Supplier Risk Management System. Additionally, defense contractors are required to have certification under the CMMC framework, which assesses security processes and practices. These assessments are now to be carried out by CMMC Third-Party Assessment Organizations, rather than through self-certification.
What should SMBs do?
What that means for small businesses is they need to start the process for getting their CMMC certification. By starting now and spending incrementally, SMBs can use advisory services that charge fixed prices and help steer clients in stages.
Everywhere you look, there are CMMC service providers hawking their wares. It’s beginning to look like a bakery section. What do you need to consider when you’re looking for an advisor to support your organization in this certification?
- Go with an organization that has a track record for cybersecurity advisory services and staff who actually are tracking CMMC. The challenge is that it keeps evolving so what was a proposed agenda in July is not necessarily the same in November.
- Get fixed price options for CMMC advice. What role and services do the team provide? An initial assessment should be a small fee in order to understand your business and level of work within the DoD, as well as what kind of data you handle. Estimates will vary depending on the work and risk.
- Don’t sign with anyone without getting at least two estimates. It’s worth your time to do some reference checking or at least compare prices.
The reason for these increased security measures around CMMC is simple. If you work for DoD, in any capacity, you likely store some form of information that could be exploited as a vulnerability to our government’s defense. To shore up our defenses the CMMC requires all vendors that work for the DoD to take responsibility for their data and how it is managed. Verizon’s 2020 Data Breach Investigations Report indicates small businesses account for 58% of data breaches. The adage that “it’s not if, but when” an attempted data breach occurs is in play here.
There is no better time than the present for businesses to start evaluating your business’ cyber roadmap and developing a risk management protocol. In the face of a national transition, the process of meeting new requirements is a collaborative one.
The necessary resources, tools and subject matter expertise are plentiful and accessible within the federal ecosystem. Not only is this the cost of doing business but it’s our responsibility as citizens. We are all on the same path of continually ensuring the security of our data, the compliance of our businesses, and contending with the implications of cyberthreats. Together with a trusted advisor, your small business can manage CMMC and continue to work for the DoD.
Les Buday is a Member of the CMMC Advisory Body and Director for Cybersecurity at HumanTouch, LLC in Tysons, Va.