Is your company making this quite common security mistake?
Addressing it now is both good business and a major step toward CMMC compliance
It’s widely expected that CMMC 2.0’s final rules will come online in March 2023. If you are a contractor to the DoD, you now have a rough deadline for compliance. If that timing holds true, expect to see CMMC requirements in solicitations as early as May 2023—60 days after the final rules appear.
Many of you are already receiving questionnaires from downstream (and sometimes upstream) asking you to attest to having a security posture that mimics CMMC 2.0 Level One standards. But as of May 2023, those standards will have the force of law. Every vendor on every contract that has some connection with supplying the DoD will have to self-attest to meeting the standards before you can bid.
Many of you are probably thinking of this as bureaucracy being bureaucracy—that it’s just another federal regulation—but it’s more than that. It’s also a digital safety net for your business. Conforming to CMMC standards will protect you just as much as it will the DOD’s data.
If you’ve read this blog before, you know my strong belief that basic cybersecurity hygiene is a necessity for any business. The threat environment in terms of ransomware or other phishing attacks is increasing—especially for small and mid-sized businesses. One recent report I read suggested a 90% increase in attacks on the technology sector in 2021, while the size of the organizations under attack has decreased. This is not surprising—smaller organizations tend to be easier to penetrate.
That CMMC standards are necessary shouts to us that the threat is real—and your organization is probably proof. I couldn’t estimate the number of small manufacturers I’ve talked with about security standards over the past few years. Yes — every business had a different history, distinct internal processes, a unique technology mix, and so on. For all their distinctiveness, most shared a glaring vulnerability: access control.
So, let’s talk about access control. It’s one of the main elements of CMMC standards, and it comes down to traceability and accountability for who needs access to what and how they get it. Getting access control right might not even cost anything more than time and effort for you or the person you delegate it to.
Access control challenges come in a variety of forms. Here’s a scenario I see all too often: password sharing. Let’s use an ERP system as a typical example—although the same thing can apply to many kinds of systems. Rather than create credentials for everyone who needs access to the ERP, users share credentials. This is often motivated by expediency and mutual trust in the staff. Sometimes it’s a way to avoid per-user licensing costs. In any case, it’s a no-no under CMMC. If it is going on at your company, put a stop to it now.
Sign up for our blog
Subscribe for Regular Insights from MX2 Technology
"*" indicates required fields
I know firsthand that many small manufacturers haven’t invested in an ERP system. From the beginning, they have run purchasing, operations, sales and more via spreadsheets. That in and of itself isn’t necessarily a problem, but what is a problem is where those mission-critical documents are stored. This is often on an open file server or accessible to everyone through a shared drive.
Again, shared drives seem convenient: If everyone has access rights to everything on your file server, then anyone can get anything he or she needs instantly. But that’s also a weakness. Consider this, if you don’t know who is making changes to which files and when—version control alone is a vulnerability. Sometimes the threat to data integrity is from simple human error rather than a bad actor.
From an expediency standpoint, the key word is instantly. From an access control standpoint, the key word is need. By defining what your production, quality, purchasing, shipping, HR and other departments need access to, then making sure it’s easily available to them, your agility isn’t sacrificed to security.
A discretionary access control policy is an easy way to implement access controls. One common approach is by creating or refining job descriptions—ideally with the input of the people already in those positions, for reasons we’ll discuss in a moment—to include data access parameters. It’s a good idea to have access controls defined on a line-of-business level as well. If a supply chain partner requests it or the government audits your CMMC self-attestation, you’ll need to have documented access control policies and procedures.
Basic access control can be enforced at the folder level, with password-only access. Purchasing would have its own folder, as would operations, sales, etc. The hidden danger here can be cultural. If your people have always had access to everything, and are suddenly told they are now restricted to certain kinds of data, pride can be wounded and trust undermined. That’s why it’s smart to involve your employees in the role based access control or access control parameter definition process. If your employees help to create the standard, they will feel some ownership of it.
MX2 has solved the access control problem with our HITRUST Certified MX2 platform, which offers a fully virtualized IT environment, all securely housed in our protected data centers. (As a matter of fact, it solves CMMC compliance generally.) Each person in your company is given log-in credentials that determine what any individual has access privileges to. This gives you precise control over access permissions and knowledge of who is doing what and when.
Will it take effort? Yes. Will you benefit from making the effort? Absolutely. Anything less is the equivalent of leaving your keys on the dashboard of your car.
If you have questions about access control or you’d like to know how integrating the MX2 Platform might solve a whole host of CMMC-related concerns for your business, get in touch. There’s never a charge or an obligation, just a clear and open conversation about your security stance and how it might be improved, whether you decide to work with us or not.
Want to Learn More?
If you want to know what it would take to achieve baseline security for your business, we invite you to schedule a free, no-obligation gap analysis call. In 30 minutes or less, you’ll understand what policies and procedures are missing, so you can make better decisions about where to start.Request a Consultation