Posted on Apr 30, 2024
If your business is not a member of the Defense Industrial Base (DIB), and you don’t do work on a contract basis as part of the supply chain to the Department of Defense, you can stop reading now. Seriously. Despite the article’s title, this missive is full of acronyms and explanations of compliance requirements and has nothing to do with breakfast. And did I mention acronyms? I will wait.
Okay, since it is just “us” now, I will share a few high-importance details from the proposed CMMC rule, and specifically how you will work with companies like mine. Managed Services Providers (MSPs), Managed Security Service Providers (MSSPs), and other external service providers (ESPs) have been included in the CMMC fray, and it will impact your business.
Answered questions, with a side of questions
Over the last several years, we have had a lot of questions concerning our clients’ obligations because of the coming Cybersecurity Maturity Model Certification (CMMC). At long last, many of those questions are getting answered; the DoD released the proposed rule on December 26, 2023.
CMMC is the verification mechanism through which the DoD is assured that the contractors and subcontractors they work with have information systems in place to protect the sensitive data they hold. It was created because the DoD discovered that many operational and cybersecurity practices within the DIB were weak making our nation vulnerable to attack. The CMMC rule closes loopholes that have allowed plans of action purposed to remediate the weaknesses to remain open for long periods of time.
Most of our questions have been regarding the more advanced cybersecurity and operational requirements for DIB businesses that process, store, or transmit Controlled Unclassified Information (CUI) and who will need to secure a CMMC Assessment provided by an authorized CMMC Third Party Assessment Organization (C3PAO) at Level 2. Level 1 DIB businesses are required to protect Federal Contract Information (FCI) and are allowed to sell-assess their environment. Both levels 1 and 2 require that a company executive sign an affirmation that they have accurately assessed and are operating under the controls.
The significant update is that businesses classified as Level 1 and Level 2 in the Defense Industrial Base (DIB) sector will face upcoming challenges related to choosing their service providers.
It turns out, the DoD references many of the functions that MSPs perform within the definition of an External Service Provider: “external people, technology… that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services… CUI or Security Protection Data (e.g., log data, configuration data) must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”
Accordingly, we, the MSPs and MSSPs of the world that serve the DIB, will need to achieve our CMMC certification too! Not only that, but any ESP will need to certify at or above the level of the contractor they support is required to certify. While we have been expecting this and implementing the requirements in our own business, most MSPs or other ESPs have not.
Why does this matter to you? When your company uses an MSP or other external service providers, they are included as “in scope” for your organization’s System Security Plan; they will be included in your assessment. Meaning- you can’t pass your CMMC Assessment unless and until your ESP has passed their assessment and have a final certification as your provider. You will not be able to work for the DoD until all your ESPs have their certification. Let’s just say, there is some debate on how this chicken-and-egg-timing will work itself out… and there are still other considerations as far as timing.
This also means that your team will need to carefully vet the capabilities of every external service provider hired to work for you… and their tools.
Read More »
Posted on Dec 12, 2022
When did the Sunday Scaries, the anxious dread that precedes the beginning of the work week begin for you? The calendar is full, the to-do list is over-populated, and leaders fill multiple roles leading to burnout and negativity. It is no wonder that the modern professional is not excited to jump out of bed on Monday. A single hire could change this for your organization.
With such heavy workloads, energy toward creativity and out-of-the-box thinking is nil. Business leaders need energy that allows traction toward working ON the business, and not just IN it – spinning plates and wearing so many hats. A technology consultant may be the answer to “smarten” your tech to work for you, so you can work on the business you (used) to love.
What Is Technology Consulting?
These days, a Technology Consultant does much more than manage printers, assist with helpdesk repairs, or install networks; after all, technology is woven into every aspect of business. A consultant serves as a sounding board from whom you can ask questions, who will learn about your business, your goals, and how you implement technology. A good Technology Consultant is NOT an IT consultant; they look at a much broader picture, identifying efficiencies in processes, assessing risk, controlling costs, and advising on compliance and liability. Delegating these roles to experts will help you get back to the work you enjoy and may even help profitability.
A study by IBM and the Ponemon Institute found that the use of emerging technologies reduces costs. For example, the adoption of artificial intelligence, security analytics, and encryption saved companies up to $1.49 million compared to those who did not use these tools.
Read More »
Posted on Nov 11, 2021
I admit it- I am spoiled by Amazon. While I purchase locally when I can (Instacart, Grubhub, Doordash, Shipt, and such when I cannot go out in person) I also appreciate being able to procure a hard-to-find item and have it delivered in sometimes only a few hours.
Other industries that compete with Amazon have worked hard in recent years to catch up with the fleet-footed fleet of smiling vans. All companies on the fulfillment- side of the tech supply chain are suffering since the advent of COVID-19, and so are the hope and dreams of all would-be technology buyers. Since the shutdowns of 2020, our clients have seen radical changes to how quickly machines arrive at their offices: what may have taken at most a week to fulfill now can take multiple months to deliver. Ouch.
Large scale organizations with immense buying power are even having trouble obtaining the technology items they need- the bottleneck at manufacturers has yet to move. What is the strategy for small and midsized businesses to procure laptops, docking stations, monitors, and, well, anything with a chip so they can keep working? We have a few thoughts.
Read More »
Posted on Dec 14, 2020
Multi-Factor Authentication (MFA) is a security feature offered by many websites, applications and devices that dramatically improves account security by requiring multiple pieces of evidence (your credentials) when logging into an account. There are three main categories of credentials: something you know, like a password or pin number, something you have, like a security token, verification text, call or email, or something you are, like your fingerprint, your voice or your face. Using our wall metaphor again, MFA is like having a second and third very high, slick wall. All good, right? Safe and secure! Or maybe not…
Read More »
Posted on Oct 1, 2020
The economic shocks of 2020 are drastically affecting the technology budgets of 2021 and pencils are being sharpened. 2020 saw bootstrap, instinctive, reactionary, financial decisions. Many organization’s plans for 2020 were thwarted by the pandemic and were put on hold. There is now no such thing as business-as-usual processes; executives need budget processes streamlined in order to react quickly and strategically with a more proactive than reactive stance. With so much uncertainly going into the new year, how should companies address and prioritize their technology budgets for 2021?
Read More »
Posted on Aug 4, 2020
Stalkerware is a term that is used for applications that are sold, usually by legally registered companies, to monitor children or track employees. The term “stalkerware” was coined for its wide use to monitor intimate partner’s or spouse’s activity without their consent. These apps are designed to run undetected and track or record user behavior and activity and may remotely control devices without the user’s consent or knowledge. They exfiltrate data like location, contacts, take screenshots, call and text logs, browser history, and even record phone calls. Some types of apps that are location services are expected, for instance, the Find My function in Apple phones to geographically locate devices and people, but this differs from stalkerware because it is a native application where the user is in control of who they share their location with. Stalkerware apps are especially insidious because the companies who design and sell them fail to protect all the data that is collected- opening the victims for double damage: not only do they have no privacy but much their personally identifying information for sale on the Dark Web as well leaving them open for attacks.
Read More »