Subscribe to our Blog

Cybersecurity Maturity Model Certification Redux

This past week, I was a panelist in a roundtable discussion on the topic of CMMC. It appeared based on some of the questions from the audience that this topic has been swept under the rug after an implementation delay that was announced in November 2021. After an extended period of "on again, off again", Department of Defense contractors should once again prepare for the rollout of CMMC 2.0 starting this May when the "Proposed Rule" of Level 1 and 2 compliance is expected to make its way into solicitations. DFARS 7012 has been around since 2016, but in order to become certified, a contractor must have a Level 2 assessment performed by undergoing a third-party audit instead of merely by self-assessment which still pertains to the basic controls and practices set forth in Level 1. The CMMC requirement is expected to have a phased roll-out, meaning it will not be included in all contracts, but it will be included in select contracts over a ramp-up period of six to twelve months.  There are 110 controls to become familiar with, and the majority are contained in your internal written policies and procedures detailing how you protect Controlled Unclassified Information (CUI) within your organization. 

A question that I was asked during the aforementioned panel discussion was, "As a software company that provides hosting of applications, are there things that you can do to help contractors who subscribe to your products and services meet certain controls?" Fortunately, the answer is yes, and there are at least a dozen controls and practices that we can assist our users in meeting the requirements for certification. These require cooperation and collaboration by both parties, and include but are not necessarily limited to:

Level 1 Practices/Controls
  • Update malicious code protection mechanisms when new releases are available. 
  • Disable the user accounts of employees when they leave the company

Level 2 Practices/Controls
  • Limit Unsuccessful Logon Attempts
  • Terminate (Automatically) a User Session after a Defined Condition
  • Remote Access Confidentiality: Employ cryptographic mechanisms for remote access sessions.
  • Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
  • Authoritative Time Source: Provide a system capability to generate time stamps for audit records.
  • Protect audit information and audit logging tools from unauthorized modification and deletion.
  • Multifactor Authentication: Use multifactor authentication for local and network access to privileged accounts 
  • Temporary Passwords: Allow temporary password use for system logins with an immediate change to a permanent password.
  • Scan for vulnerabilities in organizational systems and applications periodically 
  • Vulnerability Remediation: Remediate vulnerabilities in accordance with risk assessments.

Beyond the above controls that we can proactively provide to help with your certification, there are also the all-important CMMC domains of Physical Security and Personnel Security. To meet these requirements, we provide secure hosting for our products in the Microsoft Azure Cloud within one of their world-class data centers located in the United States.  

So, if you were among those individuals who thought that CMMC was placed indefinitely on the back burner after some fits and starts, it is going to be codified in contracts not only issued by the Department of Defense but other agencies as well here in 2023. Even if this weren't soon to become a reality, good cyber hygiene is something to be invested in with time and money well spent instituting and documenting the many practices and controls. There is no time like the present to become prepared, and we'll be ready to work with you when called upon and doing what we can to assist as your trusted Software-as-a-Service provider. 


Talk to a Specialist




Recent Blogs

April, 30 2024

The Q1 941 - Yet another sign the Pandemic is Over?

Accounting Software Accounting 941

One of the more vexing challenges going back to the start of the pandemic in 2020 has been trying to keep up w/ 941 "Employer's Quarterly Federal Tax Return" changes. Read the Blog

April, 02 2024

Accounting Software Upgrades - Taking it One Step at a Time

Accounting Software Business Tips

Company Culture plays a huge role when your company decides to change accounting systems.Your company must adequately plan for the conversion to realize the benefits. Don't forget about your people th[...] Read the Blog

March, 01 2024

When can we be Up and Running on your Software?

Insider Accounting Software

How long will it take to implement your software? The truth of the matter is that we just don't know. There are so many factors that play into the duration (and price) of setting up a new accounting s[...] Read the Blog