Lessons All Businesses Can Learn From CMMC Compliance

What is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification and is a set of regulations created by the Department of Defense (DOD) to ensure companies who works with the DOD are adhering to requirements to keep information secure. Any company that has a contract with the DOD must get the certification to stay compliant with regulations.

What Can Other Businesses Learn From CMMC?

All business handle information that should be kept private and out of the hands of cyber criminals. While companies who don't contract with the DOD aren't required to get CMMC, they still face many regulations about privacy. What can be learned from CMMC is that having a specific process when it comes to cyber security is essential.

Not only should businesses have a process in place for keeping data secure, they should also have a business continuity plan and disaster recovery plan in place in the event of a security breach or other disaster that may compromise their network. Companies should also review their process and plans on a regular basis and make revisions as needed.

Key components to staying on top of cyber security are:

• • Employee training so all employees are familiar with processes, recognizing security threats, and able to implement company security standards

• • Tabletop exercises where a team runs through different scenarios to ensure the proper response process is in place and everyone is able to follow it

• • Working with the company IT services provider to make sure the network is secure and monitored 24/7, and important data is backed up

• • Being familiar with security regulations and any changes or new regulations that are imposed

Need help with security or compliance requirements? Contact Us today.

-----

Learn more about CMMC and compliance our episode of Stimulus Tech Talk with special guest CMMC expert, Leia Shilobod.

Intro  0:00

You're listening to Stimulus Tech Talk, a conversation based podcast created by Stimulus Technologies that covers a range of topics related to business and technology.

Nathan Whittacre  0:15

Everybody I'm Nathan Whitaker, CEO of Stimulus Technologies. And welcome to Stimulus Tech Talk. I'm very excited to have our first guest for the podcast this morning, a good friend of mine Leia Shilobod, the CEO of In Tech Solutions. So welcome Leia.

Leia Shilobod  0:33

Thank you for having me today, Nathan.

Nathan Whittacre  0:35

It's a pleasure. So let me I'll do a little introduction. Read your brief bio here. And then we'll, we'll get into our topic of the day. So as I mentioned, Leia is the CEO of In Tech Solutions and a longtime friend of mine, so I'm excited to have her. She's the author of Cyber Warfare: Protecting Your Business From Total Annihilation And The Three Indisputable Rules Every Manufacturer Must Know Before Purchasing Any IT Product or Service. As a cybersecurity adviser Leia speaks frequently of venues and events such as Harvard, Pennsylvania State Department events, and accounting and manufacturing industry events, also known as the IT Princess of Power, Leia saves small businesses and mid market firms from hackers and keeps them compliant by delivering enterprise class IT security solutions that would otherwise be cost prohibitive. And so our topic today and I, what I brought Leia on is to talk a little bit about security and compliance. And, you know, that's a topic that, you know, oftentimes business owners kind of glaze over when you talk to them, and they don't want to hear it until they have an issue. So tell me a little bit about yourself and how you've been able to, you know, introduce this idea of compliance, especially CMMC compliance to business owners, and, you know, what's your, you know, how do you get into them get into their head and convince them to even listen to you about this topic?

Leia Shilobod  2:09

Yeah, so I want to thank you so much for bringing me on this call to talk about my two favorite things, security and compliance is that those are my two favorite things. And I could talk about them all day long. But how did I get to be in this place? It's a good question. I founded my firm in 2006, as a security focused IT provider, because that was always really important and really key and core with everything we did. It didn't matter if the company that we work with, understood and cared about security as much as we did, we cared about it. And then as time went on, that security piece was not as much of a nice to have, it's kind of like you need it. If you're going to be in business, you need to be able to have security front and center. Sometimes there was a concern with like, why am I spending money for this? You know, like, or am I spending money in the right place, and I could see this concern, and I was trying to communicate the value, but still was having difficulty kind of like weaving it all together for the business owner. And then some of my manufacturing clients had a contractual requirement to comply with NIST 800  -171 cybersecurity standards, how to protect certain government information that they were data custodians of, and then I was like, Ooh, this is great. Like, doesn't matter what they think they have to do it now. And so we're gonna go about doing this thing. And I can kind of jump over the conversation of why and just so we have to, and I'm sure you can imagine, that didn't go over very well. Because nobody just want to have to do something. They want to understand the why and the benefit, not just like, Okay, fine, I have to do this because you're not gonna get excited about something just have to do then I actually I studied for and got a certification, it to be a Certified Information Security Manager, my CISM certification. And as I was studying for it, it was actually one of the most fun things I ever did. Because all the stuff in here was like, this is this is it. This is this is helping me to like to weave together all those things that I wasn't sure how to and be able to have that conversation with my clients about managing their information security, and be able to say, what does the what is the business outcome that you are looking for? Because we know we have to have some kind of investment in your it, because that's related to your business process. And if we do this the right way, then those resources that you allocate, not only do you know why you have to put money in there, but you know, that you're putting it in the right place, instead of just trying to throw money at a problem, you know, cross your fingers and hope that it's going in the right place. Now the clarity is all there. So when I talk to clients about introducing security, we talked about implementing a cybersecurity compliance program, no matter if it's going to be you know, CMMC compliance program or you know, just cybersecurity. compliance in general, and be able to have a business and operational conversation where we can say, Look, I'm on the same side of the table as you, we have to think strategically about where we put these resources, because we understand your business has limited ones, let's talk about risk to the organization, what areas are, are those risks in? How would that impact be in your organization, and then put that all into a program, and then be able to make good strong business decisions based on data, and then the outcomes of that program, we can actually report back. And it's not just like, oh, look like there were no incidents this month, but actually like real strong metrics and information to say, we got this going, and then this is why our business is flowing. So well, this is why operations are flowing well, and and then feel like they've making right decisions about where they're spending their money.

Nathan Whittacre  5:51

Because it seems like you know, when I talk to companies about security and compliance, they think it's maybe like insurance, or something, like you said, at the beginning is something they have to do or are supposed to do. But if they don't definitely don't get excited about it, they'd rather be spending the money elsewhere. So it seems like you take a little bit different look at it as like how can security and these compliance things help their business processes rather than just just be something that throwing money in a bucket? And hopefully it protects them?

Leia Shilobod    6:22

Yeah, right. Because that's like, it's no way to do business and what often happens. So like the people who are thinking strategically in the organization, unless you get larger like, into a mid market firm, like I work with an organization out of the UK, they've have 1000 endpoints. So their CIO, and theirs and their CISO, they are thinking differently about the allocation of resources, because they're already in the C suite. But oftentimes, that if you have internal IT, or if you just have an MSP or MSSP, that your IT provider, they're not having that C-level kind of conversation, or they're not sure how to bridge that gap. And so they're allocated this small pot of money, and maybe they don't even know the best way to allocate it. And then keep saying it's not enough. And it might not be enough. And it might be enough, and just not allocated properly. But there's no, you know, defined strategic way of trying to assess that. So everybody's just frustrated and not feeling like you're getting good outcomes. And it's like, you know, what, that's because we're not doing it. The best way, there's a better way to do this, and you get massive value from implementing a disciplined strategic approach.

Nathan Whittacre  7:34

Yeah, that's really interesting. I, I talk periodically about it that, you know, we can't in the IT industry, we make the mistake of just trying to scare people into buying security. And, and that's not a good tactic. I mean, I drive around on the road here in Vegas, and they have these, you know, billboards up, you know, don't speed don't drink and drive, but there's plenty of people still out there, you know, going 10-15 miles an hour, the speed limit, or having a few drinks and still getting behind the car. So, you know, we know, as people, we're willing to take those risks. So it's your approach is really interesting about, you know, talking about the advantages of implementing these inside their business rather than just scaring them into doing something.

Leia Shilobod    8:12

Right. Right. So, and I think that the scary thing is like, it's like the what we think is the like, the easiest thing to do, right? Where instead, like, we do a lot of tabletop exercises with our clients, where we take a scenario and we say, here's a relevant scenario of something, let's say this happened in your business, you know, the, you know, you walk in the server that hosts QuickBooks Enterprise for your business is encrypted. And you know that because you're trying to access it, you look at the files, everything looks like all jumbled up. What do you do? And you know, I had like, you know, I was talking to one person about that, and they're like, Oh, well, I would just email you. I'm like, No, that's not what you do. And like, let's talk about why. Okay, because maybe if that system is compromised, your email system might be compromised. And also you have an emergency. What if I'm not like, what if I'm not looking at my email, then you're going to pick up the phone? You gotta call, right? Or we have to make sure like, do you have an incident response plan? If you do you pull that out first? And you do what it says? If you don't? Why don't you have that? Because you need to figure out like, if this happens, what do you do? You don't practice on a real live incident, you practice before that. And then as we talk through the scenario, they start asking questions like, Well, how could this have happened? And then that's a great opportunity for me to say, Well, right now you have, you know, this zero trust software on your server. So technically, things should not be able to get encrypted, but let me tell you about ways that it could possibly happen. And then we can talk through that. So they can also understand the risk because when you allow somebody else into your system and outside organization, and you give them that responsibility, that's a big risk too. They're forgetting how big of a risk it is that they're working with any kind of third party vendor on this and trusting them. Right? That's an, maybe MSPs don't want to talk about that. Yeah. Because if they say that then like, they're, they're the if I if I try to explain that I'm a risk for my client to work with, like, they're gonna want to go away, well, why would they want to do that? Because if you're helping them to see the risks, then they can start asking good questions and understand why it's important to work with you. And not the devil, they don't know who's not going to have the same kind of practices in place. And now they understand, right? So you actually make them more sticky by helping them through this kind of conversation. And we uncover things like, well, you know, insurance, like, do you know, should we be calling your insurance company first, before we touch anything? Well, I don't know, why you gotta call them and find out what kind of, you know, what kind of coverage do you have for this particular situation? I don't know, you know, like, for

Nathan Whittacre  10:46

More questions than answers, right?

Leia Shilobod    10:49

But that's good, right? Because I'm not talking at them. I'm talking with them, and getting their brain to think about like, if this real scenario happened, you would have to know what to do. And you can't just like, it's not going to be call me and I take care of everything. Because it can't be that way. When you have a massive incident, you as the business owner have to be responsible for orchestrating what happens and being involved there. And so and that, of course, like tabletops, are part of our compliance process.

Nathan Whittacre  11:19

Yeah, that's an interesting point you make because I think a lot of business owners, especially small businesses want to just like hand a piece of paper to somebody and say, you know, I, I was told to get PCI compliance, or CMMC, can you sign this and tell me, I'm compliant? And they don't realize that as a business owner, they're certifying their company as being compliant. And really, it's on, you know, they have to bring the team in to help, but it's on them to ensure that their company is compliant, because the regulators will come after them and not, you know, not anybody else in the end?

Leia Shilobod  11:54

Yes, yes. And you never want to be in a situation where you abdicate our responsibility that should be yours, and then be like, well, you know, I thought, I thought you were supposed to be handling this for me. Nobody ever wants to be in that situation. I never want to be in that situation as a business owner. And I know that people that I work with never want to be in there either. But maybe they don't see that that's what they're doing. And you have to be able to have a way of re engaging them. So they understand that what is their peace and their engagement that's required in order for this to be successful?

Nathan Whittacre  12:25

Yeah, perfect. So going back, you know, tabletop exercises, I'm pretty sure it's part of the compliance and requirements of the framework. But , can you tell me a little bit more about CMMC. Who does it apply to? And, you know, what does a company need to do to go through that process?

Leia Shilobod    12:43

Yeah, so. So before there was a CMMC. There were requirements contractual requirements that any organization that has a federal contract, or is in the Department of Defense's supply chain has an order to protect information, the two kinds of information they're required to protect this federal contract information and controlled unclassified information, the government has those two classifications, and that's across all departments, controlled unclassified information and federal contracts information. So there's actually in the Federal Acquisition register the FAR there is a clause for basic safeguarding requirements. There are 15 requirements. If you have a federal contract, it does not matter if it's DOD, or anywhere. If you have a federal contract, there's those 15 Basic safeguards that you are required to have. And you when you sign your contract, you are attesting that you're doing that. And then if you have CUI, there's additional requirements. And right now, every department kind of like approaches that differently. The DOD has been the one who has really taken the reins on assuring that organizations that have their information, the controlled unclassified information, that they are actually implementing this properly. And that's because so many of our secrets, and important information about our defense has leaked out to our adversaries. And so not only are they able to create weapons, to be able to kill our people better, but they also can find the weaknesses so they can so when they are using their existing weapons that they can hurt and kill our warfighters and our people and we don't want that. So we have to protect that information. It's been more important to the DOD.

Nathan Whittacre  14:32

I think a lot of a lot of the leaks I think in general come from vendors, you know, you think yes, yeah. And that's that's an that's interesting, interesting perspective that they're taking.

Leia Shilobod  14:42

Yeah, so so they, they actually sent out their assessors their auditors to check to see to in you know, their their big primes and also in some smaller organizations, how well are they implementing these controls their 110 controls in a publication called NIST 800-171. How well is it being implemented. And what they found out was it was really bad. So and sometimes it was because organizations, they just kind of dropped the ball. Sometimes they didn't think it was important. And sometimes they just had confusion on how to actually implement it and what it looked like. So that's where the cmmc program came from. cmmc is like how to implement these controls the 15 from the FAR that's CMMC  level one, and that 110 from NIST 800-171  at level two. This is if you just have FCI. This one is if you have CUI.

Nathan Whittacre  15:38

What is FCI? Versus CUI for those that don't have all the acronyms memorized?

Leia Shilobod    15:43

Yeah, so the Federal Contract Information is going to be any federal contract information. So if you have information, that's a federal contract, that the government would not just like, post out on a public website, if you have to, like sign into sam.gov, in order to look at that information, then that's federal contract information, you're required to protect that with the 15 basic safeguards. There's other information sometimes that's like specifications, drawings, technical information that the department has, they've classified that as, or categorized that I should say, as Controlled Unclassified Information. So it's not, it's not classified, if it's classified, we have a whole nother set of controls, we have to look at there. But it's, it's still important for it to be protected, if it's not, with additional safeguards to assure that the confidentiality of that information. And so the government says, If I entrust you with that, then you contractually are bound to implement these safeguards to protect that information. And if you don't, it's a breach of your contract. And not like we're not just going to fire you. But we can come after you with False Claims Act and say, you've made a false claim that you were going to protect our information this way. And you're not. And we're going to sue you. And the there have been, you know, on the low end $20,000 fines on the high end millions of dollars in fines. And it depends on the nature of the situation.

Nathan Whittacre  17:12

Interesting. So I'm sure an organization could go out there and have somebody write all these policies, put them in a book, stick them on a shelf and be good, right?

Leia Shilobod    17:21

Nope. No. The answer's no. Because, because CMMC. And compliance is not a checklist, right? So when I talked to a manufacturer, and I said, Well, you know, you went through all this effort to have a quality program, right? Or you went through all this effort to have a safety program and your organization. They're like, yeah, yeah, we did. And like, so you didn't like, go through and do all this paperwork and do a checklist you'd like, well, we're safe, right? We're good. We have to do anything else, we got our checklists, and now we're safe. You would say that's ridiculous. Safety is not like what we've arrived, then we're safe, you have to continuously follow the processes, have safety meetings, maybe maybe like continuously improve some of those processes to keep your people safe. Same thing with quality is the same thing with cybersecurity compliance, there's actions you have to take on a regular basis, we call that the compliance actions, Cadence. Things like maintenance on systems, patching, checking backups, looking at alerts, security reports, running reports, over time, looking for vulnerabilities, bringing all this information together, looking at the documentation, making sure we're following policy, and it's not just like, you know, collecting dust on the shelf, doing those tabletop exercises. So we're ready when there's an incident because it's not going to be if it's definitely gonna be when, you know, and collecting all the evidence that we're actually doing the things that we attested to, in that contract, that we are actually doing those things, because a lot of people are going to have to present themselves for official assessments and become certified.

Nathan Whittacre  18:55

So how does a company get started with this, let's say, you know, small contractor, and, you know, maybe does have some of that confidential or proprietary information that gotta be protected by level two, how, what does a company need to do if they haven't started on this at all?

Leia Shilobod    19:12

Well, the first thing we need to get really clear on is what is this information that I need to protect? Right, because if you work with gatekeepers, here's a good tip. If you ask anyone external to help you with this process, and the first question that they ask you is not what is the information you have to protect and how does it flow through your organization, then you need to not work with them. Because if you don't you have to start there. All right. Once you've determined what that information is, and maybe you say, I don't know, you have to figure out by some mechanism some way whether it's like everything that comes from ABC company, we're going to treat it like it's CUI. I don't care what it is you do, but you have to put some kind of like circle around what is it the thing we have to protect? Because the rest of your program is going to have to follow that information and it's going to help us understand how we're going to apply the changes the the security controls and all those things in your in your organization. We don't start there, we can't implement the program. After that, the next thing to do is to do a gap assessment is now you know, how the information is flowing, who has access to it now, and how you're going to need to control it to align with that requirement. And so you say, Okay, here's where we are. And here's where we have to be, what are all the things that we have to change? And the list of all those things are like, we're currently not doing this currently not doing this currently not doing this. And all those not doing this is go on a plan, a plan of action milestones, and then you look at this list. And oftentimes, it's like hundreds of things that have to be changed. And you say, Okay, so in all this list, let's see projects, okay. Like, maybe I see, we're going to have to upgrade our ERP or MRP, because it's sitting on servers that are too old. And that's like, it's, you know, these, these servers are not going to be able to meet the controls, maybe that's a project, maybe you recognize that the, the wireless system that you have in place is not going to be compliant. Maybe that's maybe that is there will always be documentation. So always be some kind of documentation project in there. Because no organization that I've talked to I work with even the one that has 1000 company, people in it, you know, none of them have the required documentation in order to run the program properly. So that's going to be on there, too. There might be some changes in a business process, because maybe a current business process, like there's no way to be able to secure that properly, I need to think about different ways of doing that. And then so you look at all of those things, create discrete projects, assign some kind of estimated value, and labor list, and then start to prioritize them figure out how to remediate appliances, not just the project, right. So at the same time, while you're working through those projects, you're also implementing that those cadences of the activities you have to do and collecting evidence. And that also helps you to stay on track. Because when you're having those meetings, and doing the that cadence of activities, that you can also check in on the projects and making sure that they're Yeah, going along, like they're supposed to get done.

Nathan Whittacre  22:11

Yeah, seems like I mean, it really does change the business, it isn't something. Like I said, you can't just put a binder on a shelf and call it good. It's really changing the core of the business and the way things are done to protect that. So how does your business that doesn't require, you know, isn't a federal contractor doesn't require things? Is there anything that you've learned from this framework that any business should implement?

Leia Shilobod    22:37

Yes, absolutely. And that is that, I know, I realized that CMMC is not, you know, this, this whole new world, it's implementing and maintaining a cybersecurity compliance program. And if you can implement and maintain a cybersecurity compliance program, you can implement and maintain any cybersecurity compliance program, the backbone of that is a set of controls, in other words, standards and controls that you want to align with, and then actions and actions cadence to make sure that those things are all happening. So every business needs to have some kind of a program in place and some kind of standard. Otherwise, you're just guessing, right? I think this is the best thing. I think this is the best thing. And actually, like having a set of controls whether you use the NIST controls like 800-171, or, you know, the Cybersecurity Framework CSF, or you use CIS controls, there's a whole bunch of sets of controls, no matter which one, you use the all crosswalk. So like there's similarities between all of them. Why? Because there are just best practices that we all say these are things that you should definitely do. And then if you select controls from in one of those other, you know, organizations, like a standard set of controls, you know, that like a bunch of really smart people got together, and they thought about a lot of things that you probably didn't think of, and so that helps you to say, okay, yes, like, here are our standards for the way that our systems are going to be configured, and maintained and accessed and authorized, our people are going to be maintained, screened, and authorized. And our physical environment is also going to be maintained and authorized, and how we're going to report on that on a regular basis. Every business should have a program like that, because otherwise, it's going to be incomplete. There'll be holes and gaps, it'll be spastic in nature, and it will be in the end more expensive to the business.

Nathan Whittacre  24:35

It's just going to be fits and starts, you know, it's not not going to be consistent and Well, excellent. I mean, you gave us a ton of information here, kind of an overview. I'm sure there's a lot more to go over. So if somebody wanted to get in touch with you, what's the best way to find out more about how to implement this inside their business?

Leia Shilobod   24:52

Okay, so, if you love cybersecurity compliance programs, or you'd like to learn how to implement a cybersecurity compliance program for your company, please Call me. And you can find me actually a lot of places. First of all, like, if you google this name, you will be able to find me because like, trust me, like I'm everywhere. So if you try to go, if you don't know how to find me, then you probably don't have any business using the internet. And I have no idea how you found this podcast. But on LinkedIn, my handle is Princess Leia, just like from Star Wars. It's actually who was named after. Or you can just find me on here by linking linking me that I'm also on Signal of use a Signal app, Leia Kupris Shilobod, and be able to find all my contact information is on LinkedIn, including my email address and my cell phone number.

Nathan Whittacre  25:41

Excellent Leia. I hope that you know, this was informative for everybody. Definitely, you know, it seems overwhelming when you're getting into compliance and there's just so many things but an expert can walk you through the process and help your business. make it simpler. It's not always easy, but definitely simpler and you need an expert walking through and Les as an expert in this field. So appreciate your time today, and hopefully everybody got something out of this.

Leia Shilobod  26:08

Thank you, Nathan.

---

Stimulus Tech Talk Episode 8