Blog

Subscribe to our Blog

CMMC: What can a software vendor do for you?

Software SecurityUnless you have been totally focused on other world events in recent months and haven't been paying attention, as a government contractor you probably have heard about Cyber Maturity Model Certification compliance or CMMC. If you're a finance professional, you are probably a bit perplexed by the different requirements and levels (i.e., 1 through 5) and may be fortunate enough to have an individual other than yourself either inside or outside of your company available to help you to meet the extensive certification requirements. 

I have fielded several calls from concerned clients in recent months on this topic, and the question that is commonly asked of me is what is it that we can do in order to make CMMC a reality with respect to our hosted cost accounting software offering? The truth is that a software vendor engaged in hosting your applications can help you to meet a limited number of security controls (of which there are many) since most of the processes and controls are the direct responsibility of the contractor. Best practices such as staff "Awareness and Training" and "Personnel Security" involve your people and your internal controls. For example, who within your organization determines who among your staff can access certain information technology systems? While all of your staff members may have access to your time and expense entry, a smaller number of individuals will likely be permitted access to your financial system. Achieving Level 1 and Level 2 of CMMC mostly centers around establishing and then documenting your cybersecurity practices, policies and procedures. A good starting point would be to review FAR 52.204-21 and NIST SP 800-171 with its guidelines for protecting Controlled Unclassified Information (CUI). As you will see, these processes have much to do with limiting internal access to your information technology systems and not as much to do with software that is being accessed.  

Now, where your hosted software vendor comes in is by providing a highly secure IT platform that encompasses the practices set forth in achieving what is referred to under CMMC as "Good Cyber Hygiene". These practices include, but are not limited to:

    • Providing multi-factor (MFA) authentication for login security 
    • Creating data backups on a nightly basis with data at rest encryption
    • Storing data backups in a secure location outside of the network
    • Applying Operating System and database software updates (patches) on a regular (at least monthly) frequency
    • Installing Anti-Malware software within the network 
    • Having a  recovery plan in place to restore your computing environment in a manner of hours.

A question that is frequently asked is, "Where exactly is my data stored?". In turns that the aim of this question is less about where data is stored geographically and more about the security of the data center itself. Data centers, such as the Microsoft Azure platform that we primarily use for our hosted networks, are regularly audited for Service Organization Controls (SOC) by third-party auditing teams. The results of these audits are provided in the periodic SOC audit reports. This represents an ongoing audit process that data centers must undergo in order to determine whether best practices are being observed and, if not, where corrections and improvements must be made.

In addition to the above we - as your trusted hosted software vendor - continually strive to keep up with the latest in cybersecurity best practices and will continue to invest in making our hosted infrastructure as secure as possible. What keeps us up at night should not keep our clients up at night! 

Recent Blogs

October, 14 2021

October is Cybersecurity Awareness Month but We're "Aware" Year-round

Government Contractor SYMPAQ Benefits Business Tips

You can't let your guard down when it comes to cybersecurity. Cyberattacks take place every eleven seconds on average, so you need to be sure your software works around the clock to stay secure. Read the Blog

September, 23 2021

Labor Distribution 101

DCAA Audits SYMPAQ Benefits Business Tips

If you have a fully functioning labor distribution system that enables the accurate recording of both direct and indirect labor charges and can also accommodate uncompensated overtime for salaried sta[...] Read the Blog

August, 24 2021

Government Contract Cost Accounting Software - What makes it different from the rest?

Government Contractor Accounting Software Business Tips

A guide to help you understand the differences between a non-industry specific accounting software package and one that is purpose-built for Government contractors. Read the Blog