Blog

Subscribe to our Blog

CMMC: What can a software vendor do for you?

Software SecurityUnless you have been totally focused on other world events in recent months and haven't been paying attention, as a government contractor you probably have heard about Cyber Maturity Model Certification compliance or CMMC. If you're a finance professional, you are probably a bit perplexed by the different requirements and levels (i.e., 1 through 5) and may be fortunate enough to have an individual other than yourself either inside or outside of your company available to help you to meet the extensive certification requirements. 

I have fielded several calls from concerned clients in recent months on this topic, and the question that is commonly asked of me is what is it that we can do in order to make CMMC a reality with respect to our hosted cost accounting software offering? The truth is that a software vendor engaged in hosting your applications can help you to meet a limited number of security controls (of which there are many) since most of the processes and controls are the direct responsibility of the contractor. Best practices such as staff "Awareness and Training" and "Personnel Security" involve your people and your internal controls. For example, who within your organization determines who among your staff can access certain information technology systems? While all of your staff members may have access to your time and expense entry, a smaller number of individuals will likely be permitted access to your financial system. Achieving Level 1 and Level 2 of CMMC mostly centers around establishing and then documenting your cybersecurity practices, policies and procedures. A good starting point would be to review FAR 52.204-21 and NIST SP 800-171 with its guidelines for protecting Controlled Unclassified Information (CUI). As you will see, these processes have much to do with limiting internal access to your information technology systems and not as much to do with software that is being accessed.  

Now, where your hosted software vendor comes in is by providing a highly secure IT platform that encompasses the practices set forth in achieving what is referred to under CMMC as "Good Cyber Hygiene". These practices include, but are not limited to:

    • Providing multi-factor (MFA) authentication for login security 
    • Creating data backups on a nightly basis with data at rest encryption
    • Storing data backups in a secure location outside of the network
    • Applying Operating System and database software updates (patches) on a regular (at least monthly) frequency
    • Installing Anti-Malware software within the network 
    • Having a  recovery plan in place to restore your computing environment in a manner of hours.

A question that is frequently asked is, "Where exactly is my data stored?". In turns that the aim of this question is less about where data is stored geographically and more about the security of the data center itself. Data centers, such as the Microsoft Azure platform that we primarily use for our hosted networks, are regularly audited for Service Organization Controls (SOC) by third-party auditing teams. The results of these audits are provided in the periodic SOC audit reports. This represents an ongoing audit process that data centers must undergo in order to determine whether best practices are being observed and, if not, where corrections and improvements must be made.

In addition to the above we - as your trusted hosted software vendor - continually strive to keep up with the latest in cybersecurity best practices and will continue to invest in making our hosted infrastructure as secure as possible. What keeps us up at night should not keep our clients up at night! 

Recent Blogs

June, 07 2024

Should You Factor Your Government Contract Receivables?

Business Tips CEOs & CFOs

Factoring your accounts receivable to a third-party financing company (i.e., factor) will provide near-instant payment on your federal government invoices instead of waiting the typical 30 days or lon[...] Read the Blog

April, 30 2024

The Q1 941 - Yet another sign the Pandemic is Over?

Accounting Software Accounting 941

One of the more vexing challenges going back to the start of the pandemic in 2020 has been trying to keep up w/ 941 "Employer's Quarterly Federal Tax Return" changes. Read the Blog

April, 02 2024

Accounting Software Upgrades - Taking it One Step at a Time

Accounting Software Business Tips

Company Culture plays a huge role when your company decides to change accounting systems.Your company must adequately plan for the conversion to realize the benefits. Don't forget about your people th[...] Read the Blog