CMMC and Cloud Compliance for Mid-Market Companies

The Cybersecurity Maturity Model Certification (CMMC) is a new and still developing standard for measuring a company’s cybersecurity effectiveness. It has been developed by the Department of Defense to measure and rate the cybersecurity practices of the Defense Industrial Base (DIB) who are supplying services to the DoD. 

While the CMMC only applies to DoD contractors, it is based on NIST CSF and NIST SP 800-171. These NIST frameworks are used across all industries to help companies gauge their cybersecurity effectiveness. CMMC combines NIST and other standards into a unified standard for cybersecurity, which can be applied to any company that wants to method for achieving higher levels of cybersecurity over time. 

CMMC is simply divided into five levels to allow organizations to put measures in place to reach the minimum cybersecurity necessary to protect customer data. The addition of a third-party audit organization (3PAO) certification provides proof that any organization working to achieve a certain CMMC level has the proper security measures in place.  

The five maturity levels range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” Each maturity level includes progressively more demanding process and practice requirements to achieve the certification level. 

Click To Download

Most mid-market and SMB companies will never need to go beyond Level 3 in the CMMC model unless they are doing work for the Federal government or another customer that maintains highly sensitive data and processes.  

In addition to the level, there are 171 practices and 5 processes across the five levels of CMMC maturity. These practices and processes are organized into 17 capability domains to make them more manageable. 

Looking at the number of practices and the capability domains can seem daunting. Since the CMMC and NIST are highly related, you can organize the CMMC Capability into the NIST Core Functions and then think about how you manage your cloud compliance to the CMMC levels by the functions. 

CMMC and the Cloud 

Since most mid-market companies are moving or have moved all their IT operations to the cloud, it is helpful to think of the CMMC in that context. If you move all your IT operations to the cloud, do you even need to worry about cybersecurity maturity? The answer is “yes”, but the good news is that the cloud and SaaS providers with whom you work will take on much of the cybersecurity burden and make achieving higher levels of CMMC easier. 

Looking at the following table, you can see that moving to the cloud allows a company to “outsource” much of its burden of CMMC requirements to the cloud provider. It is important as you look at a cloud or SaaS provider to know whether they are CMMC compliant themselves. You can use this as a framework to analyze whether they are following the necessary steps to be a partner in your CMMC success. 

CMMC compliance of cloud operations is very achievable for mid-market companies. The key to success is breaking the compliance process into smaller pieces and setting goals for achieving each level. Working with a company that can help you manage the project and work through implementing the needed security standards can make the process much easier and the likelihood of the success of the program much higher. 

Engaging MSPs: What Should Customers Look For?

Why Engage an MSP? (Part 1)

Managed IT services is external support for a company’s core IT functions. Specifically, it entails end-user support, cloud, security, and device management. Typically billed at a flat rate calculated on supported users or devices, managed IT services offers professional, expert support at a cost that remains the same regardless of how frequently the support is needed.

There are several reasons why a company should engage a managed services provider (MSP) for their IT needs:

Growing Complexity in Cybersecurity Compliance

First, a limited internal IT team may be challenged by the increasing number of clients asking companies to comply with their cybersecurity standards. These compliance projects are time-consuming to manage and often stretch the expertise of in-house IT, triggering the need for outside tools and expertise. These cybersecurity audits almost always expose areas that require remediation to bring the company into compliance. MSPs can provide much-needed expertise and capacity to help with the additional projects created by an audit.

Limited Internal Capacity

Operations small to large reach a point of maximum capacity with their in-house IT resources. Maybe it’s only one individual who was needed to meet the business’ IT needs when the company was founded. With success, a business grows – and this is to be celebrated.

This growth and success, however, comes with additional IT needs. At this point, businesses can experience substantial benefits from hiring an MSP to supplement their IT needs. An MSP can easily alleviate the burden of in-house IT management and take charge over the company’s IT core operations so in-house staff can focus on strategic IT initiatives, or even projects outside of IT.

Migration to the Cloud

When transitioning to cloud and software as a service (SaaS) applications, the IT professional’s job description changes. Ultimately, cloud and SaaS applications lighten the IT burden for maintaining application servers and all the associated support functions. The nature of IT work changes as the business looks to IT to focus less on keeping the systems running and more on data analytics, information workflows, employee productivity and security issues. A great MSP can help with the complexity of shifting data and processes to the cloud, while helping the company define and manage new workflows that maximize the benefit from all the cloud services that are being used.

Yellow Lights and Red Lights

There are acute emergencies (red light events) like cyber attacks that cause businesses to look elsewhere for help. There are also mid-level pain points (yellow lights), or areas where businesses know they need to improve but are slow to take action. Most MSPs are equipped to handle all the possible events that can occur, but great MSPs will be able to identify minor issues before they become major issues with software tools and expertise that ensure no interruption to your day-to-day business operations.

Tedious Tasks

Employee onboarding, offboarding, device management, SaaS management – think of the bottom half of the list of IT tasks your company needs to handle for things to run smoothly. These are responsibilities that no one internal is particularly excited to tackle but they need to be managed regardless. Wouldn’t it be nice if someone else could just handle all of it for you instead? Yes, that’s also what MSPs do – everything that you don’t want to. A great MSP will not only handle these tasks but will also bring software and expertise for ways to automate and improve the operation of these important but uninteresting tasks.

Why Engage an MSP?

Why Engage an MSP? (Part 1)

Managed IT services is external support for a company’s core IT functions. Specifically, it entails end-user support, cloud, security, and device management. Typically billed at a flat rate calculated on supported users or devices, managed IT services offers professional, expert support at a cost that remains the same regardless of how frequently the support is needed.

There are several reasons why a company should engage a managed services provider (MSP) for their IT needs:

Growing Complexity in Cybersecurity Compliance

First, a limited internal IT team may be challenged by the increasing number of clients asking companies to comply with their cybersecurity standards. These compliance projects are time-consuming to manage and often stretch the expertise of in-house IT, triggering the need for outside tools and expertise. These cybersecurity audits almost always expose areas that require remediation to bring the company into compliance. MSPs can provide much-needed expertise and capacity to help with the additional projects created by an audit.

Limited Internal Capacity

Operations small to large reach a point of maximum capacity with their in-house IT resources. Maybe it’s only one individual who was needed to meet the business’ IT needs when the company was founded. With success, a business grows – and this is to be celebrated.

This growth and success, however, comes with additional IT needs. At this point, businesses can experience substantial benefits from hiring an MSP to supplement their IT needs. An MSP can easily alleviate the burden of in-house IT management and take charge over the company’s IT core operations so in-house staff can focus on strategic IT initiatives, or even projects outside of IT.

Migration to the Cloud

When transitioning to cloud and software as a service (SaaS) applications, the IT professional’s job description changes. Ultimately, cloud and SaaS applications lighten the IT burden for maintaining application servers and all the associated support functions. The nature of IT work changes as the business looks to IT to focus less on keeping the systems running and more on data analytics, information workflows, employee productivity and security issues. A great MSP can help with the complexity of shifting data and processes to the cloud, while helping the company define and manage new workflows that maximize the benefit from all the cloud services that are being used.

Yellow Lights and Red Lights

There are acute emergencies (red light events) like cyber attacks that cause businesses to look elsewhere for help. There are also mid-level pain points (yellow lights), or areas where businesses know they need to improve but are slow to take action. Most MSPs are equipped to handle all the possible events that can occur, but great MSPs will be able to identify minor issues before they become major issues with software tools and expertise that ensure no interruption to your day-to-day business operations.

Tedious Tasks

Employee onboarding, offboarding, device management, SaaS management – think of the bottom half of the list of IT tasks your company needs to handle for things to run smoothly. These are responsibilities that no one internal is particularly excited to tackle but they need to be managed regardless. Wouldn’t it be nice if someone else could just handle all of it for you instead? Yes, that’s also what MSPs do – everything that you don’t want to. A great MSP will not only handle these tasks but will also bring software and expertise for ways to automate and improve the operation of these important but uninteresting tasks.

Remote Workforce Business Continuity

Ensure your Business Continuity Plan Secures your Remote Workforce

In our last Securing Remote Workers Blog, we discussed how organizations in today’s world must adapt to changing business conditions to ensure a secure remote workforce. Another critical element for securing your remote workforce is ensuring your business continuity and disaster recovery plan includes the ability to support your remote workforce with little or no notice. An organization must be capable of sustaining normal operations due to a power outage, illness, flooding, or similar event, which makes it unsafe for employees to travel onsite. In such an event that disrupts normal business operations, an organization must be capable of rapidly transitioning to a fully remote workforce.

If you already have a business continuity plan, you should consider adding remote workforce security capabilities to your plan, such as:

  • Multifactor authentication
  • Data loss prevention (DLP)
  • Advanced Threat Protection
  • Wireless connectivity

If you do not have a business continuity plan, the Department of Homeland Security provides details on the following four steps:

  1. Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
  2. Identify, document, and implement to recover essential business functions and processes.
  3. Organize a business continuity team and compile a business continuity plan to manage a business disruption.
  4. Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.

For more information you can download a summary guide here.

 

PSAP Cyber Risks to 911

CISA Report on Cyber Risks to 911: TDoS

A telephony denial of service (TDoS) attack is a specific type of DDoS attack directed towards a telephone system to bring the targeted system down. These attacks can affect anyone, including our 911 infrastructure, and may often include ransomware requests. 

As such, TDoS attacks present a unique risk to public safety communications stakeholders, including Emergency Communications Centers (ECC), Publics Safety Answering Points (PSAP), and other 911 centers. 

In response, the Cybersecurity and Infrastructure Security Agency (CISA) developed the Cyber Risks to 911: Telephony Denial of Service fact sheet to educate the public safety community on TDoS threats. 

Specifically, the fact sheet reviews:

  • The most common TDoS attack vectors
  • Real-world TDoS incidents and impacts
  • Best practices to mitigate TDoS vulnerabilities

One of the key takeaways is for ECC/PSAPs should consider a managed service provider to address two of these migrations:

  • Implement the National Institute of Standards and Technology Cybersecurity Framework to improve cybersecurity posture
  • Conduct cybersecurity assessments, identify capability gaps and vulnerabilities, and determine appropriate cybersecurity standards

Take Action to Prevent Attacks:  Download CISA’s TDoS fact sheet to see the seven steps to prevent cyber attacks.