Everything about us is online today. Our name, personal lives, address, banking, billing—and yet we do almost nothing to protect it. How many of you use the same password for everything? How many of you use the word “password” as your password? How many times have you changed your password for one login on your computer? Identity theft happens too often, companies are losing IP to the tune of billions of dollars every year, and we as a nation are not prepared for a cyber war. You can see that with the recent Ubercyber hack and the follow up from that incident.
I talk to small businesses everyday about cybersecurity and ways my company can help them, and the response is either “we have that covered” or no response at all. I specialize in the NIST and CMMC Frameworks for companies doing work with the DoD. These compliance pieces have been around for years, and it is astounding how many companies have no idea what is required of them. And I’m not talking about the intricacies of their system security plans. I’m talking about the difference between certified and compliant. I’m talking about what milestones you are allowed to have in a POAM for NIST versus CMMC. There are a plethora of articles, webinars, and YouTube videos about this information and yet businesses still tell me weekly that they are NIST certified.
Give me a cup of coffee and I could talk all day about NIST and CMMC. It is one of my favorite topics to discuss, and my best day at work is sitting down with a small business to simplify their journey to NIST/CMMC compliance. I love working with small businesses to get past the fog of NIST/CMMC and breakdown how they should pursue their cyber compliance. And I’m not talking about selling someone something either (even though that does happen). I want to help small businesses understand the cyber vernacular, what questions to ask companies before hiring them for MSP services and showing them what documents they need to feel confident in their cyber compliance.
If I had one thing to say to businesses who work with the DoD, I would say this: Do not leave your compliance on the back table. It should be discussed in most meetings, brought up with leadership regularly, clearly highlighted in your budgets, and your IT staff should have consistent, uninterrupted meetings with the team to discuss the progress of your NIST/CMMC compliance. You, as a business owner, should never default compliance to someone in your company or simply outsource it. If you get asked about your compliance by a Prime or Contracting Office, generic answers will leave them unimpressed and not confident you are where you should be. Your NIST/CMMC compliance is essential and critical to the nation’s supply chain and to the Warfighter using your product on the battlefield.
We are years into NIST and CMMC and if you have questions, ask! There are hundreds, if not thousands, of people you could ask on LinkedIn who are more than willing to help you. Burying your head in the sand until NIST/CMMC goes away will not lead to sustainable results. It will lead you to the uncomfortable position of not winning work with the DoD because you do not meet the requirements. Or, if you are caught in a line of dishonesty, then losing your job will be the least of your problems. You as a leader need to confront NIST/CMMC until you understand your cyber posture and what gaps you need to close to be prepared for your CMMC certification.
I spoke to a C3PAO recently about our sister company getting certified and what the process looks like. The C3PAO said he has over 50companies he is working with who are prepared to be certified when the CMMC rulemaking is finalized in Spring 2023. If you approximate 1-2 weeks to get certified, if you get in line now, it will take you over a year before you can get certified. Can your business sustain a year without new contracts or bidding on new contracts with the DoD? If this thought terrifies you, get a meeting today with your IT people, breakdown where you are at and what you need, and finalize a plan today.