Government contractors play a critical role in supporting various agencies and handling sensitive information. To safeguard this data from cyber threats, the U.S. government has established guidelines and frameworks. One such framework is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which outlines requirements for protecting Controlled Unclassified Information (CUI). In addition, the Cybersecurity Maturity Model Certification (CMMC) program has been introduced to assess the cybersecurity maturity of government contractors. 

In this blog post, we will explore the latest updates to NIST SP 800-171 as they relate to CMMC, providing insights into how these changes impact government contractors and their journey towards certification.

Overview of NIST SP 800-171

NIST SP 800-171 focuses on safeguarding CUI in non-federal systems and organizations. It outlines a set of 110 security requirements across 14 control families. These requirements cover various aspects of cybersecurity, including access control, incident response, security awareness, and more. Contractors working with the U.S. government must comply with these requirements to protect CUI.

Introduction to the CMMC Program

The Cybersecurity Maturity Model Certification (CMMC) program builds upon NIST SP 800-171 and introduces a tiered approach to assess the cybersecurity maturity of government contractors. CMMC includes five levels, ranging from basic cyber hygiene practices to advanced and proactive security measures. Contractors must achieve the appropriate CMMC level to bid on contracts, depending on the sensitivity of the information they handle.

Alignment between NIST SP 800-171 and CMMC

The latest updates to NIST SP 800-171 have been made to align with the CMMC program. The revised publication incorporates enhanced security controls and updates from the current version of the NIST Risk Management Framework (RMF). This alignment ensures that contractors who meet the requirements of NIST SP 800-171 will be on the path to achieving CMMC certification.

Impact of the Updates on Government Contractors

The updates to NIST SP 800-171 introduce additional security controls and guidelines that contractors must address to enhance their cybersecurity posture. Some of the notable changes include requirements for multifactor authentication, incident response testing, encryption, and supply chain risk management. Contractors need to evaluate their current practices and implement necessary changes to comply with the updated controls.

Navigating the Certification Process

To achieve CMMC certification, government contractors must undergo a rigorous assessment conducted by authorized Third-Party Assessment Organizations (C3PAOs). These assessments evaluate an organization’s implementation of security controls outlined in NIST SP 800-171 and additional CMMC requirements. Contractors should leverage the guidance provided by NIST and engage with experts to prepare for the certification process.

The evolving cybersecurity landscape demands continuous improvements in protecting sensitive information. The updates to NIST SP 800-171 demonstrate the government’s commitment to strengthening cybersecurity measures for government contractors. By aligning with the CMMC program, these updates provide a clear roadmap for contractors to enhance their cybersecurity maturity. It is essential for government contractors to stay informed about these updates, evaluate their current practices, and invest in the necessary measures to achieve compliance and certification, thereby ensuring the protection of sensitive government information.

SME will work with your team to achieve compliance with these four straightforward services:

• NIST 800-171 Compliance Assessment
• Plan of Action and Milestones (POAM) Development
• Cybersecurity Policy Development
• Employee Training and Awareness

Let’s get started with a complimentary consultation to discuss where you are today and where you need to be with your cybersecurity posture. Contact SME today at (703) 378-4110 to discuss the next steps in your action plan.

What are the latest best practices in ALTA Pillar 3 for title companies, their workforces, and their security infrastructures?

That’s a great question. And we’ve been getting it a lot lately from title company owners, executives, and IT teams. 

So we decided to provide you with some definitive answers in this post.

Here’s what you can expect to learn:

• What Are The Changes to ALTA Pillar 3 In Version 4.0?
• What Do Title Companies Need To Know About ALTA Best Practice 3?
• What To Do Next To Prepare For ALTA Pillar 3 Compliance

Let’s get started with the basics.

What Are The Changes to ALTA Pillar 3 In Version 4.0

ALTA announced the release of version 4 of its Best Practices Framework in a letter on January 23, 2023, with an effective date of May 23, 2023, for implementation. Here’s what they had to say about Pillar 3:

Though not reflecting the full extent of the proposed changes, the revisions that have received significant areas of attention include:

Pillar 3 (Privacy and Information Security Programs to protect NPI): Updates to the physical protection of NPI, inclusion of network and cloud security of NPI, further details on coverage of business continuity and disaster recovery plans, further details on the required oversight of service providers and third party systems, use of the ALTA Cybersecurity Incident Response Plan Template as a reference document for the written incident response plan, and requiring processes for addressing breaches or unauthorized access to NPI.

That covers the new requirements of Version 4 at a high level. All of the legacy Pillar 3 requirements from Version 3.0, like annual vulnerability and risk assessments, security awareness training, etc., are also still in place.

Pillar 3 is all about protecting Non-Public Personal Information, aka NPI. 

As a quick refresher, NPI typically includes a first name or initial and a last name combined with—Social Security Number, driver’s license number, state-issued ID number, credit or debit card number, other bank or financial account information.

It’s also important to note that NPI can be maintained and stored in physical and/or digital format. NPI can be contained in customer applications, transaction records, files, and other relevant customer documents and communications. 

Storage for records containing NPI might be maintained physically on-premise, in third-party physical archives, or in rented or leased facilities. Electronic storage might include on-prem computers and servers, remote work computers, mobile devices and laptops, colocated computers, and cloud servers and storage.

The bottom line is all NPI must be maintained according to Pillar 3 requirements. Incidents that led, or might have led, to compromised NPI must also be reported. 

ALTA has provided numerous resources to help title agencies and settlement services companies comply with Title Insurance and Settlement Company Best Practices Version 4. 

But it’s important to note that these resources and documents are intended for large, comprehensive security and IT teams that are beyond the scope of most small and mid-sized companies. 

That’s where we can help.

What Do Title Companies Need To Know About ALTA Best Practice 3?

We’ve summarized the new ALTA Pillar 3 requirements contained in the Best Practices Version 4 framework. This is what it looks like at a high level.

From the ALTA Title Insurance and Settlement Company Best Practices Version 4, the Pillar 3 section starts with the requirement for a WISP, or Written Information Security Plan:

[Pillar] 3. Best Practice: Adopt and maintain a written information security plan (“WISP”) and a written privacy plan to protect NPI as required by local, state, and federal law.

Establish and implement a WISP designed to protect the security and confidentiality of NPI and the security of the Company’s information systems. The WISP should include:

In a nutshell, these are the main NPI security components:

• Multi-factor user authentication
• Password management plan that requires unique login names and system

passwords to access systems containing NPI 

• Timely software updates 
• Physical security (including background checks)
• Network and cloud security policies to protect NPI on IT systems and infrastructure
• Development of guidelines for the appropriate use of information technology

Preparedness and Training

This summarizes the requirements of the Preparedness and Training Section:

• Establish, and periodically test, a written business continuity and disaster

recovery plan 

• Establish, and periodically test, a written incident response plan designed to

promptly respond to, and recover from, a cybersecurity incident

• Periodically review the Company’s security controls and the Company’s WISP and make appropriate changes to address emerging threats and risks to the

Company’s information systems and NPI

• Establish a training program to guide management and employee compliance with Company’s WISP and awareness of current and developing cybersecurity threats

We also paraphrased the last three major requirements of ALTA Pillar 3 v4:

Comply with applicable federal and state laws pertaining to securely maintaining records containing NPI. 

Select service providers, contractors, consultants, and third-party systems whose information security policies are consistent with the Company’s WISP, including software tools and resources which may have access to NPI or store records containing NPI as part of their setup or operation. 

Establish a privacy policy explaining how data is collected and used and publish it on Company’s website(s) or provide information directly to Consumers in another useable form.

To sum it all up, there are significant technology and physical security measures required in the latest version of ALTA Pillar 3 for title and settlement services companies. These measures impact your choice of vendors, consultants, service providers, software, hardware, and cloud  solutions.

And the new version of ALTA Best Practices takes effect on May 23, 2023.

We recognize that you’re focused on serving your clients, not on physical and cyber security policies surrounding the collection and maintenance of NPI.

That’s why it’s time to meet your ALTA Title Insurance and Settlement Company Best Practices Version 4 compliance team.

What To Do Next To Prepare For ALTA Pillar 3 Compliance

SME is here to assist title agencies from start to finish in order to successfully meet ALTA Best Practice 3. Here’s what you can expect:

• Our team will perform a pre-assessment to determine your readiness level 
• Our team will lay out a comprehensive plan to help you organize your compliance efforts
• Our team will recommend and implement security products and services as directed by your team
• Our team will work with you and your team to document and report successful completion of Best Practice 3
• We’ll be mindful of your budget and timeframe for implementation

Systems Management Enterprises, Inc. is a Virginia-based Information Technology and Security Company offering a variety of purpose-built, cost-effective solutions for your business needs. 

We’ve been in business for over a decade—providing infrastructure services, managed security, compliance solutions, and technical support to small and medium enterprises in the title services space.

At SME, we have the experience, expertise, services, and solutions to help you  maintain a secure, always-available, compliant technology infrastructure. 

Do you have questions? 

We’re here to help. Call us at 703-782-9140 or Schedule Your Free ALTA Best Practice 3 Assessment Today! 

The Department of Defense (DoD) recently issued a final ruling that requires contracting officers to consider supplier risk assessments in the Supplier Performance Risk System (SPRS) when evaluating offers. This ruling is an effort to improve the cybersecurity of the defense industrial base (DIB) by encouraging contractors to implement strong cybersecurity measures and effectively manage their supply chains. 

Under the old DFARS 7019 ruling, contractors were required to enter their score into SPRS with the assumption that contracting officers might be checking to confirm the score was in there before the decision was made to award a contract.

Contracting officers are now instructed by the final rule to consider assessments, if available, in determining contractor responsibility through the new solicitation provision called DFARS 252.204-7024, effective March 22, 2023. The new ruling makes checking the score a requirement before awarding a contract.

One of the key ways that contractors can improve their SPRS score, and therefore their chances of winning DoD contracts, is by completing a NIST 800-171 assessment. This assessment is a set of cybersecurity standards developed by the National Institute of Standards and Technology (NIST) that contractors must meet in order to do business with the DoD.

However, completing a NIST 800-171 assessment can be a complex and time-consuming process. That’s where Systems Management Enterprises (SME) comes in. SME is a leading provider of cybersecurity and compliance solutions for government contractors, and they can help contractors navigate the NIST 800-171 assessment process and improve their SPRS score.

SME offers a comprehensive suite of services designed to help contractors meet NIST 800-171 requirements and improve their cybersecurity posture. These services include:

1. NIST 800-171 Compliance Assessment: SME’s team of cybersecurity experts will conduct a thorough assessment of your organization’s current cybersecurity posture and identify any gaps or vulnerabilities that need to be addressed to meet NIST 800-171 requirements.
2. Plan of Action and Milestones (POAM) Development: SME will help you develop a comprehensive POAM that outlines the steps you need to take to address any gaps or vulnerabilities identified during the compliance assessment.
3. Cybersecurity Policy Development: SME can help you develop and implement cybersecurity policies and procedures that meet NIST 800-171 requirements and align with your organization’s overall cybersecurity strategy.
4. Employee Training and Awareness: SME can provide cybersecurity awareness training to your employees to help them understand their role in protecting sensitive information and preventing cyberattacks.

By partnering with SME, contractors can improve their SPRS score and demonstrate to the DoD that they are taking cybersecurity seriously. SME’s team of cybersecurity experts can help contractors navigate the complex world of cybersecurity compliance and ensure that they are meeting all relevant standards and regulations.

Contractors can improve their chances of winning DoD contracts by completing a NIST 800-171 assessment and improving their SPRS score. SME can help contractors navigate the assessment process and improve their cybersecurity posture, ensuring that they are well-positioned to compete in the DIB. Contact us to today to get started!

Spring Hardware Cleanup Around The Office

Spring is the perfect time for businesses to take stock of their computer hardware and perform a thorough clean-up. Over time, hardware can accumulate dust and debris, leading to poor performance and potential hardware failures. But cleaning up your business’s hardware is not just about keeping things in good working order – it’s also about protecting your intellectual property and sensitive client data.

In this blog post, we’ll explore some tips for spring clean-up of computer hardware for businesses, including how to clean up business intellectual property and sensitive client data to ensure compliance with industry regulations.

Step 1: Physical Cleaning

The first step in spring cleaning your business’s computer hardware is physical cleaning. Dust and debris can accumulate on your computer hardware, causing it to overheat and malfunction. Start by shutting down your computer and unplugging it from the power source. Use a soft, lint-free cloth to gently wipe down the surface of your computer, including the keyboard and screen. For more stubborn dirt and grime, use a cleaning solution that is safe for computer use.

When cleaning your computer hardware, it’s essential to be gentle and avoid using harsh chemicals that can damage sensitive components. Don’t forget to clean the inside of your computer as well, using compressed air to blow away any dust or debris that may be clogging the fans or causing other issues.

Step 2: Back Up Important Data

Before you start deleting files or uninstalling programs, it’s crucial to back up any important data. This includes your business’s intellectual property, such as patents, trademarks, and copyrights, as well as sensitive client data, such as financial records, personal information, and confidential contracts.

Backing up your data can be done in a variety of ways, such as using an external hard drive, a cloud-based storage service, or a secure server. Choose the option that is best for your business and make sure that the backup is complete and up-to-date.

Step 3: Delete Unnecessary Files and Programs

Once you have backed up your important data, it’s time to delete unnecessary files and programs from your computer. This can help free up space on your hard drive, improve your computer’s performance, and reduce the risk of cyber attacks.

When deleting files, be sure to permanently delete them, so they can’t be recovered. When uninstalling programs, use the proper uninstallation process to remove all associated files and registry entries.

Deleting files and data can be an intimidating process. Why not let SME do this for you? We can ensure your company is deleting files properly and creating the proper documentation that will meet compliance requirements.

Step 4: Securely Dispose of Hardware

When it’s time to retire old computer hardware, it’s essential to do so securely. This includes wiping the hard drive clean of all data and physically destroying the hard drive if necessary.

SME can assist with secure data destruction and responsible disposal of electronic waste.

Step 5: Stay Compliant

Finally, it’s crucial to stay compliant with industry regulations when handling business intellectual property and sensitive client data. Depending on your industry, you may need to comply with regulations such as ALTA Best Practices, CMMC, or HIPAA.

Make sure that your business is up-to-date with all relevant regulations and that you are taking the necessary steps to protect your intellectual property and sensitive client data.

Keep Your Systems Running Smoothly with SME

Spring clean-up of computer hardware for businesses is an essential task that can help keep your systems running smoothly and protect your intellectual property and sensitive client data. By following these tips, you can ensure that your business is compliant with industry regulations and that your data is secure.

SME can conduct a thorough review of your tech hardware to provide you with a roadmap for the future. Get in touch with us today for your free consultation.

The ideal time to plan for the future is when the year is drawing to a close. Businesses usually start the year with the hope of growing and improving their operations. Technology dictates much of how businesses operate. So, it makes perfect sense to identify areas of optimization in your IT.

A year-end technology review gives you the chance to look at various areas of your IT. The goal is to take time to focus on improvements you can make to boost your bottom line along with the tactics required to lower the risk of a costly cyberattack.

The reality is that organizations that make use of technology generally tend to be more secure and do better. 

Take some time this year-end to do a technology review in your organization with either a managed IT provider or your IT team. It will be a great way to set your organization up for success and security in the coming year.

What Are the Key Considerations When Reviewing Your Technology at Year-End?

The goal of the year-end technology review is to look at all areas of your IT infrastructure. Efficiency, security, as well as bottom-line considerations will be the key drivers for any future initiatives.

I. Technology Policies

People usually stop following technology policies that get outdated. So, review all your policies to see whether any of them require updating to reflect new conditions. For instance, if you now have some staff that work from home, ensure that your device use policy also reflects this.

Don’t forget to let your employees know when you do update policies. It gives them a refresher on important information. They might have forgotten some things since onboarding.

II. Disaster Recovery Planning

When did you last have an incident response drill in your organization? Is there a list of steps employees are required to follow in case of a cyberattack or natural disaster?

Set aside time to do disaster recovery planning for the coming year. It can also be a good idea to put dates in place for preparedness training and drills in the coming months.

III. IT Issues and Pain Points

It is never a good idea to go through a major IT upgrade without taking the employee pain points into consideration. Otherwise, you might end up missing some golden opportunities for improving staff well-being and productivity.

Survey your employees on their use of technology. Ask questions about their favorite and least favorite apps. Learn about the struggles they face. Find out how they feel technology may improve to make their jobs better. In turn, this will benefit your business. It will also help you target the most impactful improvements.

IV. Privileged Access and Orphaned Accounts

Part of the year-end review should be doing an audit of your privileged accounts. Permissions can be misappropriated over time, which can leave your network at a higher risk of a major attack.

You should make sure that admin-level permissions are only granted to those that need them. The fewer the privileged accounts in your business tools, the lower your risk. Compromised privileged account passwords open the door to disaster.

You should also look for any orphaned accounts while going through your accounts. These should be closed because they are no longer in use. Leaving them active poses a serious security risk.

V. IT Upgrade and Transformation Plans 

Making IT decisions and upgrades “on the fly” can end up biting you. It is best to plan out a strategy beforehand so that you can upgrade in an organized way.

Have a vulnerability assessment done. It will give you a list of potential problems that your organization needs to address. Eliminating vulnerabilities helps improve your cybersecurity. Planning ahead helps you budget for upgrades and avoid unplanned expenses.

VI. Cloud Use and Shadow IT

Review how cloud applications are used in your organization. Are there some apps that are hardly ever used? Does your cloud environment have redundancies? The review will not only help you in reducing waste but also saving money.

You should also check for employee use of shadow IT. These are essentially cloud applications used for work purposes but didn’t go through approval. Management might not even know about them. Eliminate this potential security risk by either officially approving them or closing the accounts.

VII. Customer-Facing Technology

It is also important to look at the customer experience provided by your technology infrastructure. Go through your website and contact process just as a customer would.

If you find yourself getting frustrated by things such as website navigation, then your leads and customers may be too. Ensure that optimizations to your customer-facing technology are included in your new year plans.

Schedule a Technology and Security Assessment Today!

SME can conduct a thorough review of your technology environment to provide you with a roadmap for the future. Get in touch with us today for your free consultation.