CMMC Getting Closer and Closer
The implementation of the CMMC has been delayed somewhat due to the COVID-19 pandemic and ensuring lockdowns; however, the compliance deadline is fast approaching. Contractors and subcontractors who want to start or continue working with the DoD need to meet the appropriate standards to bid for desired contracts. By the end of the year, there should be provisional assessors, assessment guides, pilot programs, and the beginnings of an operating system to allow companies to obtain CMMC certification.
What does your firm need to do to prepare to pass a CMMC assessment? Here are some tips to get you started on the right track.
Check Your Hardware and Software
Companies that want to work with the Department of Defense won’t be able to use IT hardware or software made by Chinese companies for DoD projects. Bear in mind this doesn’t mean you can’t own hardware or software made by Huawei or ZTE; however, it does mean these programs and hardware can’t be used to store DoD information or for any DoD-related projects. You’ll also want to check your employees’ mobile devices if they use their devices for work purposes.
Begin Developing and Implementing Proper IT Policies and Procedures
Do you have IT rules and regulations governing IT cybersecurity, data storage, the use of personal devices for work purposes, etc.? If so, you’re off to a good start. However, you’ll need more than just rules and policies to meet CMMC requirements. You’ll need to show that your company adheres to these policies and procedures every single day.
Now maybe a good time to consider IT cybersecurity training for staff members. Training should cover selecting strong passwords, storing passwords, recognizing cyberattacks and addressing them appropriately, data management and storage, and protecting devices from loss or theft. IT managed service providers can provide the needed training and conduct regular employee testing to ensure all staff members are following your company guidelines.
Upgrade Your IT Cybersecurity
The entire purpose of the CMMC is to protect government information from falling into the wrong hands. To meet CMMC requirements, you’ll need to ensure your systems are continually safe from malicious third parties. Have an independent firm conduct a cybersecurity assessment and/or penetration testing on your computers to identify vulnerabilities that could lead to an attack.
Bear in mind that even seemingly small missteps could lead to a devastating attack. These small mistakes include:
- Failure to update software programs. In 2017, poor patch management resulted in a massive ransomware attack that affected hundreds of organizations in more than 150 nations. Patching software removes known bugs that hackers could use to gain access to your systems.
- Failure to secure devices connected to the internet and your network. These include, but aren’t limited to, printers, scanners, and POS devices.
- Failure to secure your Wi-Fi connection. A VPN makes it possible for you to work securely, even if you aren’t in the office. Remote employees and independent contractors should have a VPN to avoid compromising your network via a public connection.
Schedule a Pre-Assessment as Soon as Possible
You don’t want to schedule a CMMC assessment before you’re ready. On the other hand, you can’t count on finding a CMMC assessor at the last minute. Failure to promptly obtain an assessment can spell the difference between obtaining and losing a contract worth tens or hundreds of thousands of dollars. That’s why you need to prepare now to schedule an assessment well in advance of a bid.
Get Professional Help
If your business is familiar with NIST guidelines, you’re off to a good start as CMMC builds on NIST guidelines. However, there are also new requirements, especially for companies requiring level three, four, or five CMMC certifications. Professional CMMC consulting can help you address weak areas and improve overall IT cybersecurity and performance by providing you with an outside perspective on your IT setup.
Advantage Industries is an IT managed service provider serving companies throughout Baltimore, Washington, Northern Virginia, and Maryland. Our team includes expert NIST and CMMC consultants who can help you create custom IT solutions to enable your company to meet the new CMMC requirements without undue delay. Get in touch with us to learn more about our services or schedule an appointment with our team.