Don Sesler, The Technology Whisperer: As the owner, I have the honor of leading a team of super-smart individuals who share my passion for helping entrepreneurs and business owners not fall victim to complex technology challenges that can kill productivity. We want to tame your technology so that it works for you and not the other way around. What technology problem is making your life more complicated than it should be? Reach out to me and tell me your story.

What The DoD Can Teach Us About Cybersecurity

Most of us don’t do business with the Department of Defense, but there are a lot of very good practices in their new cybersecurity standard that we can benefit from.

Department of Defense contractors all over the country are adopting the DoD’s newest cybersecurity requirements, CMMC, which are designed to keep our nation’s secrets secure. Like almost all government programs of this size, the rollout has been full of false starts and setbacks, and has taken much longer to roll out than anyone predicted. Still, the end result is a much improved set of security standards that we can all leverage as we strive to make our own business environments more secure.

Let’s take a quick look at what they are doing, and why their approach can benefit almost any business.

What is CMMC, And Why Should I Care?

The Cybersecurity Maturity Model Certification (CMMC) program is designed to help Department of Defense contractors meet the ever-changing cybersecurity threats and safeguard the information that supports and enables our military. The CMMC framework’s three levels of compliance are comprised of Foundational, Advanced, and Expert. The set of practices laid out at the Foundational level makes good sense for almost any small business, and a lot of the Advanced-level practices are also crucial if you work with sensitive data or have a hybrid work environment.  The companies who would benefit from adopting some or all of the Level 2 standards share at least one of the following three challenges in their business:

  • Compliance With Regulatory Standards: Many industries are required to adhere to regulatory standards. If your business involves mining, manufacturing, finance, energy, healthcare, insurance, or telecommunications, to name a few, you should already be familiar with the regulatory requirements of your industry. CMMC pulls on the best cybersecurity and document safety practices from these sectors, meaning that chances are good you could learn a great deal from studying their procedures.
  • Complexity in Operations: If your company struggles with the challenges that come along with a complex business environment, like remote workers or multiple offices scattered across a region or the globe, CMMC can help you think about how to keep the collaboration going for your team while also keeping your information secure.
  • CAD and Big Data: If you are using powerful computers in your design or manufacturing operations, ensuring you have the right resources allocated to the right teams can quickly overwhelm your IT team if they don’t have the right practices in place.

Breaking Down The Levels

The current standard defines three levels of IT best practices for any entity that does business with the DoD:

  • Level 1 (Foundational): This is the minimal baseline of 17 practices that all DoD contractors must follow, regardless of the product or service provided. This layer focuses on the basics (of course) and includes practices like restricting information access to those who need it, making sure your user authentication is solid, and installing a business-class cybersecurity suite.  If you provide professional services, it’s almost certain that you should be doing the things in the CMMC Foundational level.
  • Level 2 (Advanced): Level 2 ratchets up the number of practices from 17 to 110, significantly increasing the effort and cost of maintaining compliance. For those of us who don’t do business with the DoD, there are still some stronger cybersecurity protections in level 2 that make good sense to follow, like using multi-factor authentication and full data encryption, especially in a remote work environment.
  • Level 3 (Expert): This level adds even more practices to the mix, as well as additional assessments and audits. Not many organizations will need to meet this standard, but those that do will have to put a lot of effort into getting it right.

Most companies don’t need to invest the time and effort to achieve the equivalent of CMMC Level 3 cybersecurity compliance, but almost every company can and should use the DoD Level 1 Self-Assessment Document as a benchmark for their in-house baseline IT practices.

How Any Business Can Make Their IT Operations More Effective

If you are DIY’ing your IT setup, here are a few types to get you started:

  • Start With The Basics: Get a professional-grade cybersecurity suite installed, and create a disaster recovery plan that details step-by-step instructions on how you will get your business back up and running if something bad happens, like hackers, fire, flood, etc.
  • Protect Your Data and Environment: Make sure you use data encryption whenever you transmit information across the internet, and enable multi-authentication everywhere in your business to help keep the hackers at bay.
  • Train Your Staff: The number one way hackers gain access to a business network is through socially engineered attacks. Train your team to spot those fishy emails, phone calls, and text messages.  

Not sure how to do some of this? As always, you can schedule a consultation with me, and I’ll be happy to help you decide which platform makes the best sense for your business.