CMMC: What can a software vendor do for you?

Unless you have been totally focused on other world events in recent months and haven't been paying attention, as a government contractor you probably have heard about Cyber Maturity Model Certification compliance or CMMC. If you're a finance professional, you are probably a bit perplexed by the different requirements and levels (i.e., 1 through 5) and may be fortunate enough to have an individual other than yourself either inside or outside of your company available to help you to meet the extensive certification requirements. 

I have fielded several calls from concerned clients in recent months on this topic, and the question that is commonly asked of me is what is it that we can do in order to make CMMC a reality with respect to our hosted cost accounting software offering? The truth is that a software vendor engaged in hosting your applications can help you to meet a limited number of security controls (of which there are many) since most of the processes and controls are the direct responsibility of the contractor. Best practices such as staff "Awareness and Training" and "Personnel Security" involve your people and your internal controls. For example, who within your organization determines who among your staff can access certain information technology systems? While all of your staff members may have access to your time and expense entry, a smaller number of individuals will likely be permitted access to your financial system. Achieving Level 1 and Level 2 of CMMC mostly centers around establishing and then documenting your cybersecurity practices, policies and procedures. A good starting point would be to review FAR 52.204-21 and NIST SP 800-171 with its guidelines for protecting Controlled Unclassified Information (CUI). As you will see, these processes have much to do with limiting internal access to your information technology systems and not as much to do with software that is being accessed.  

Now, where your hosted software vendor comes in is by providing a highly secure IT platform that encompasses the practices set forth in achieving what is referred to under CMMC as "Good Cyber Hygiene". These practices include, but are not limited to:

• • Providing multi-factor (MFA) authentication for login security 
  • Creating data backups on a nightly basis with data at rest encryption
  • Storing data backups in a secure location outside of the network
  • Applying Operating System and database software updates (patches) on a regular (at least monthly) frequency
  • Installing Anti-Malware software within the network 
  • Having a  recovery plan in place to restore your computing environment in a manner of hours.

A question that is frequently asked is, "Where exactly is my data stored?". In turns that the aim of this question is less about where data is stored geographically and more about the security of the data center itself. Data centers, such as the Microsoft Azure platform that we primarily use for our hosted networks, are regularly audited for Service Organization Controls (SOC) by third-party auditing teams. The results of these audits are provided in the periodic SOC audit reports. This represents an ongoing audit process that data centers must undergo in order to determine whether best practices are being observed and, if not, where corrections and improvements must be made.

In addition to the above we - as your trusted hosted software vendor - continually strive to keep up with the latest in cybersecurity best practices and will continue to invest in making our hosted infrastructure as secure as possible. What keeps us up at night should not keep our clients up at night!