SME, Inc.

By

What Should Be Included in a Year-End Technology Infrastructure Review?

What Should Be Included in a Year-End Technology Infrastructure Review?

The ideal time to plan for the future is when the year is drawing to a close. Businesses usually start the year with the hope of growing and improving their operations. Technology dictates much of how businesses operate. So, it makes perfect sense to identify areas of optimization in your IT.

A year-end technology review gives you the chance to look at various areas of your IT. The goal is to take time to focus on improvements you can make to boost your bottom line along with the tactics required to lower the risk of a costly cyberattack.

The reality is that organizations that make use of technology generally tend to be more secure and do better. 

Take some time this year-end to do a technology review in your organization with either a managed IT provider or your IT team. It will be a great way to set your organization up for success and security in the coming year.

What Are the Key Considerations When Reviewing Your Technology at Year-End?

The goal of the year-end technology review is to look at all areas of your IT infrastructure. Efficiency, security, as well as bottom-line considerations will be the key drivers for any future initiatives.

I. Technology Policies

People usually stop following technology policies that get outdated. So, review all your policies to see whether any of them require updating to reflect new conditions. For instance, if you now have some staff that work from home, ensure that your device use policy also reflects this.

Don’t forget to let your employees know when you do update policies. It gives them a refresher on important information. They might have forgotten some things since onboarding.

II. Disaster Recovery Planning

When did you last have an incident response drill in your organization? Is there a list of steps employees are required to follow in case of a cyberattack or natural disaster?

Set aside time to do disaster recovery planning for the coming year. It can also be a good idea to put dates in place for preparedness training and drills in the coming months.

III. IT Issues and Pain Points

It is never a good idea to go through a major IT upgrade without taking the employee pain points into consideration. Otherwise, you might end up missing some golden opportunities for improving staff well-being and productivity.

Survey your employees on their use of technology. Ask questions about their favorite and least favorite apps. Learn about the struggles they face. Find out how they feel technology may improve to make their jobs better. In turn, this will benefit your business. It will also help you target the most impactful improvements.

IV. Privileged Access and Orphaned Accounts

Part of the year-end review should be doing an audit of your privileged accounts. Permissions can be misappropriated over time, which can leave your network at a higher risk of a major attack.

You should make sure that admin-level permissions are only granted to those that need them. The fewer the privileged accounts in your business tools, the lower your risk. Compromised privileged account passwords open the door to disaster.

You should also look for any orphaned accounts while going through your accounts. These should be closed because they are no longer in use. Leaving them active poses a serious security risk.

V. IT Upgrade and Transformation Plans 

Making IT decisions and upgrades “on the fly” can end up biting you. It is best to plan out a strategy beforehand so that you can upgrade in an organized way.

Have a vulnerability assessment done. It will give you a list of potential problems that your organization needs to address. Eliminating vulnerabilities helps improve your cybersecurity. Planning ahead helps you budget for upgrades and avoid unplanned expenses.

VI. Cloud Use and Shadow IT

Review how cloud applications are used in your organization. Are there some apps that are hardly ever used? Does your cloud environment have redundancies? The review will not only help you in reducing waste but also saving money.

You should also check for employee use of shadow IT. These are essentially cloud applications used for work purposes but didn’t go through approval. Management might not even know about them. Eliminate this potential security risk by either officially approving them or closing the accounts.

VII. Customer-Facing Technology

It is also important to look at the customer experience provided by your technology infrastructure. Go through your website and contact process just as a customer would.

If you find yourself getting frustrated by things such as website navigation, then your leads and customers may be too. Ensure that optimizations to your customer-facing technology are included in your new year plans.

Schedule a Technology and Security Assessment Today!

SME can conduct a thorough review of your technology environment to provide you with a roadmap for the future. Get in touch with us today for your free consultation.

By

DIBCAC Medium Assessments Are Coming To DIB Contractors

You may have missed it, but the CMMC Accreditation Body (CMMC-AB) hosted their March Town Hall Meeting on Tuesday, March 29th. The meeting lasted about an hour and covered several topics surrounding the CMMC. 

Topics included training and certification programs and the recent activities of the Defense Contract Management Association’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center, aka DIBCAC.

The team at SME wanted to share some of the most relevant, actionable information from the meeting with our customer base of DIB contractors.

DIBCAC Medium Assessments Are Coming To DIB Contractors

It‘s important to note that DIBCAC is starting to do random assessments, look into compliance documentation, check SPRS scores, and ask for additional self-assessment documentation.

But what are the need-to-knows for Defense Industrial Base contractors?  

These are the issues from the CMMC-AB town hall that we’ll discuss in this post:

  • What type of assessments will DCMA be conducting, and what do DIB contractors need to be aware of? 
  • What are the compliance risks and required actions from contractors?
  • Where can DIB contractors go for questions and clarification?

So let’s get started with some important notes from the town hall meeting. The full meeting notes are available from the CMMC-AB:

Mr. DelRosso (DCMA/DIBCAC spokesman) then provided an update on medium assessments, which the DCMA DIBCAC is initiating to provide acquisition insight into the DIB. They are a paper-based drill and will be of minimal impact to contractors. They will be used for companies who self-attested at a variety of levels and will include a review of System Security Plan (SSP) descriptions of how each requirement is met. The DCMA will look at high scorers and low scorers and see if there is any pattern that can be identified based on scores and sectors of the DIB to get a real understanding on what is going on. The DCMA DIBCAC will be checking some of these SSPs soon to get a sense of compliance within the ecosystem.

The medium assessments have started rolling out. It might be helpful to understand the difference between medium versus high assessments:

  • Medium assessments – paper-based review used for companies who self-attested at a variety of levels and will include a review of System Security Plan (SSP) descriptions of how each requirement is met.
  • High assessments – a medium assessment but a higher level review of documentation that is submitted which follows more methodologies

Here’s what you need to be aware of—if your organization has submitted a Supplier Performance Risk System (SPRS) score based on self-assessment, you still need to have a detailed system security plan (SSP) in place and available to DIBCAC personnel. 

In fact, the absence of an SSP could invalidate your score, according to NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1:

i) Since the NIST SP 800-171 DoD Assessment scoring methodology is based on the review of a system security plan describing how the security requirements are met, it is not possible to conduct the assessment if the information is not available. The absence of a system security plan would result in a finding that  ‘an assessment could not be completed due to incomplete information and  noncompliance with DFARS clause 252.204-7012.’

So what are the compliance risks and required actions for DIB contractors?

You never want to be at risk with DCMA/DIBCAC compliance. You could be subject to invasive document review requests, DCMA Corrective Action Requests (CARs), and ultimately disciplinary actions, loss of contracts, status revocations, etc.

When industry-tested, professional, cost-effective solutions are readily available, who needs any of that?

Where can DIB contractors go for questions and clarification?

If you don’t have a system security plan in place, get in touch with our team today.

You still have time to get all of your documentation in place.

With our DIB-contractor-tested Compliance Management Platform, we can crosswalk from NIST 800-171 to CMMC and DIBCAC medium assessments. We’ll help you identify any gaps. Our team of Registered Practitioners will work with your team to build an SSP and an accurate, compliant SPRS Score.

As a designated CMMC-AB Registered Provider Organization (RPO), SME is uniquely positioned to provide pre-assessment advice, consulting services remediation, and compliance recommendations to government contractors.

SME takes a different, more efficient approach to help our DIB clients achieve compliance. When you partner with us, you get a dedicated engineer who will help you build an action plan for a DCMA DIBCAC medium assessment.

At SME, we have a team of experts with all the extensive experience and certifications that it takes to keep up with today’s incredibly fast-paced world of cybersecurity. We are laser-focused on information security, so you don’t have to be.  

Right now we’re offering a no-obligation SSP assessment at no cost to you. 
Call us at 703-378-4110. Schedule Your Free SSP Assessment Today!

By

What Exactly Is Cyber Insurance—And Does Your Business Need It?

Those are two great questions. And we’re going to provide some answers. 

We’re also going to discuss a nexus between CMMC certification and cyber insurance audit requirements that may enable you to kill two birds with one stone. 

In this post, we’ll drill down into these three critical aspects of cyber insurance:

  • What is cyber insurance, and how does it work? 
  • What are the business benefits?
  • Are there similarities between CMMC certification and cyber insurance audit requirements?

So what is cyber insurance, and how does it work?

Let’s start with a great definition from the liability experts at Hiscox Group:

A cyber insurance policy is designed to cover privacy, data, and network exposures. The list of regulations and statutes continues to expand regarding the use and protection of cyber security information, as well as notification requirements in the event of a breach. As cyber exposures continue evolving, so will your need to ensure that your business is protected if a cyber attack occurs.

Cyber insurance policies can vary from hundreds of dollars per year to tens of thousands. The cost of the policy will depend on a number of factors, including:

  • Type, quantity, and sensitivity of the information 
  • Size of the IT enterprise—number and locations of servers, storage devices, etc.   
  • Type and number of data and user access points and controls—web, employees, contractors, etc.
  • Current security vulnerabilities, etc.

Do the business benefits of cyber insurance outweigh the costs?

That depends on your business. Cyber insurance provides security breach and incident coverage over and above your general liability and professional liability insurance coverage. You can also design your policy to cover breach recovery costs, ransom and extortion costs, breach notification costs, loss of income, etc. Businesses should customize their policy to balance potential vulnerabilities and liabilities.

Additional business recovery costs can include hiring consultants to help with data recovery, replacement hardware and software, general IT consulting services, public relations costs, repairing a damaged business reputation, etc.  

Some things that you’ll want to ask your insurance company about, related to costs that might not be covered, include:

  • Third-party lawsuits
  • Legal fees in general
  • Intentional, negligent acts on your company’s part
  • Property damage or physical injury
  • Acts of terrorism

Cyber insurance can be an extremely effective weapon against cyber crimes and data breaches. But it’s up to you and your team of IT security experts to find the right policy to fit with your overarching security management framework and infrastructure.  

Are there similarities between CMMC certification and cyber insurance audit requirements?

The short answer to that question is yes. There is no absolute requirement standard for DoD contractors or related businesses to become CMMC certified or to buy cyber insurance at this time. But, as we point out in a recent post, CMMC compliance requirements are an inevitable reality. CMMC implementation timelines may also be moving closer than the original target date of October 2025.

The right cyber insurance policy might also be a powerful, cost-effective tool in your cybersecurity armament. 

Both CMMC certification and the implementation of cyber insurance require an audit of your current security practices, policies, and infrastructure.  

So we’re offering a complimentary initial security assessment for DoD small businesses, contractors, and subcontractors. This is an excellent opportunity to assess your cybersecurity environment for CMMC certification and cyber insurance at the same time.   

And we’re providing the initial assessment at no cost to you.

At SME, we have a team of experts with all of the extensive experience and certifications that it takes to keep up with today’s incredibly fast-paced world of cybersecurity. We are laser-focused on information security, so you don’t have to be.  

Are cybersecurity issues and potential threats keeping you up at night? Do you have questions about CMMC requirements for DoD contractors and small businesses? Let us handle your information security so you can focus on growing your business. 

Take advantage of our no-obligation CMMC certification and cybersecurity insurance readiness assessment with no obligation and no cost to you. 

Call us at 703-378-4110 Schedule Your Free Cybersecurity Assessment Today! 

Recent Post

The ideal time to plan for the future is when the year is drawing to a close. Businesses usually start the year with … More »

What Our Clients Say

"SME handles all of our internet hosting needs, providing a reliable, high-performance, secure and cost-effective platform for us to host web-based systems for biotech companies. We have been consistently impressed with the responsive, knowledgeable and professional service we receive."