Subscribe to our Blog

CMMC: What can a software vendor do for you?

Software SecurityUnless you have been totally focused on other world events in recent months and haven't been paying attention, as a government contractor you probably have heard about Cyber Maturity Model Certification compliance or CMMC. If you're a finance professional, you are probably a bit perplexed by the different requirements and levels (i.e., 1 through 5) and may be fortunate enough to have an individual other than yourself either inside or outside of your company available to help you to meet the extensive certification requirements. 

I have fielded several calls from concerned clients in recent months on this topic, and the question that is commonly asked of me is what is it that we can do in order to make CMMC a reality with respect to our hosted cost accounting software offering? The truth is that a software vendor engaged in hosting your applications can help you to meet a limited number of security controls (of which there are many) since most of the processes and controls are the direct responsibility of the contractor. Best practices such as staff "Awareness and Training" and "Personnel Security" involve your people and your internal controls. For example, who within your organization determines who among your staff can access certain information technology systems? While all of your staff members may have access to your time and expense entry, a smaller number of individuals will likely be permitted access to your financial system. Achieving Level 1 and Level 2 of CMMC mostly centers around establishing and then documenting your cybersecurity practices, policies and procedures. A good starting point would be to review FAR 52.204-21 and NIST SP 800-171 with its guidelines for protecting Controlled Unclassified Information (CUI). As you will see, these processes have much to do with limiting internal access to your information technology systems and not as much to do with software that is being accessed.  

Now, where your hosted software vendor comes in is by providing a highly secure IT platform that encompasses the practices set forth in achieving what is referred to under CMMC as "Good Cyber Hygiene". These practices include, but are not limited to:

    • Providing multi-factor (MFA) authentication for login security 
    • Creating data backups on a nightly basis with data at rest encryption
    • Storing data backups in a secure location outside of the network
    • Applying Operating System and database software updates (patches) on a regular (at least monthly) frequency
    • Installing Anti-Malware software within the network 
    • Having a  recovery plan in place to restore your computing environment in a manner of hours.

A question that is frequently asked is, "Where exactly is my data stored?". In turns that the aim of this question is less about where data is stored geographically and more about the security of the data center itself. Data centers, such as the Microsoft Azure platform that we primarily use for our hosted networks, are regularly audited for Service Organization Controls (SOC) by third-party auditing teams. The results of these audits are provided in the periodic SOC audit reports. This represents an ongoing audit process that data centers must undergo in order to determine whether best practices are being observed and, if not, where corrections and improvements must be made.

In addition to the above we - as your trusted hosted software vendor - continually strive to keep up with the latest in cybersecurity best practices and will continue to invest in making our hosted infrastructure as secure as possible. What keeps us up at night should not keep our clients up at night! 

Recent Blogs

April, 23 2021

The Evolution of Timekeeping Methods for Government Contractors

Government Contractor SYMPAQ Benefits Business Tips Electronic Timekeeping

Paper timesheets have long represented a simple but not ecologically friendly way for your workforce to record time against direct and indirect cost objectives. Learn about the evolution of electronic[...] Read the Blog

March, 23 2021

Doing business, the Cost Buildup Way

Government Contractor SYMPAQ Benefits Business Tips Indirect Costs

For Government Contractors, pricing your services appropriately is critical. For this reason, many use the 'cost buildup' pricing methodology. Learn more about this method and when to use it for your [...] Read the Blog

February, 17 2021

CMMC: What can a software vendor do for you?

Government Contractor Accounting Software SYMPAQ Benefits Business Tips

What is CMMC Compliance and how can a software vendor, like SYMPAQ, get you prepared for the hurdles that may lie ahead? Read the Blog