Blog | SME, Inc.

May 5, 2023 By Rich Westbrook

What Are The New Best Practices for ALTA Pillar 3 Version 4?

What are the latest best practices in ALTA Pillar 3 for title companies, their workforces, and their security infrastructures?

That’s a great question. And we’ve been getting it a lot lately from title company owners, executives, and IT teams.

So we decided to provide you with some definitive answers in this post.

Here’s what you can expect to learn:

What Are The Changes to ALTA Pillar 3 In Version 4.0?
What Do Title Companies Need To Know About ALTA Best Practice 3?
What To Do Next To Prepare For ALTA Pillar 3 Compliance

Let’s get started with the basics.

What Are The Changes to ALTA Pillar 3 In Version 4.0

ALTA announced the release of version 4 of its Best Practices Framework in a letter on January 23, 2023, with an effective date of May 23, 2023, for implementation. Here’s what they had to say about Pillar 3:

Though not reflecting the full extent of the proposed changes, the revisions that have received significant areas of attention include:

Pillar 3 (Privacy and Information Security Programs to protect NPI): Updates to the physical protection of NPI, inclusion of network and cloud security of NPI, further details on coverage of business continuity and disaster recovery plans, further details on the required oversight of service providers and third party systems, use of the ALTA Cybersecurity Incident Response Plan Template as a reference document for the written incident response plan, and requiring processes for addressing breaches or unauthorized access to NPI.

That covers the new requirements of Version 4 at a high level. All of the legacy Pillar 3 requirements from Version 3.0, like annual vulnerability and risk assessments, security awareness training, etc., are also still in place.

Pillar 3 is all about protecting Non-Public Personal Information, aka NPI.

As a quick refresher, NPI typically includes a first name or initial and a last name combined with—Social Security Number, driver’s license number, state-issued ID number, credit or debit card number, other bank or financial account information.

It’s also important to note that NPI can be maintained and stored in physical and/or digital format. NPI can be contained in customer applications, transaction records, files, and other relevant customer documents and communications.

Storage for records containing NPI might be maintained physically on-premise, in third-party physical archives, or in rented or leased facilities. Electronic storage might include on-prem computers and servers, remote work computers, mobile devices and laptops, colocated computers, and cloud servers and storage.

The bottom line is all NPI must be maintained according to Pillar 3 requirements. Incidents that led, or might have led, to compromised NPI must also be reported.

ALTA has provided numerous resources to help title agencies and settlement services companies comply with Title Insurance and Settlement Company Best Practices Version 4.

But it’s important to note that these resources and documents are intended for large, comprehensive security and IT teams that are beyond the scope of most small and mid-sized companies.

That’s where we can help.

What Do Title Companies Need To Know About ALTA Best Practice 3?

We’ve summarized the new ALTA Pillar 3 requirements contained in the Best Practices Version 4 framework. This is what it looks like at a high level.

From the ALTA Title Insurance and Settlement Company Best Practices Version 4, the Pillar 3 section starts with the requirement for a WISP, or Written Information Security Plan:

[Pillar] 3. Best Practice: Adopt and maintain a written information security plan (“WISP”) and a written privacy plan to protect NPI as required by local, state, and federal law.

Establish and implement a WISP designed to protect the security and confidentiality of NPI and the security of the Company’s information systems. The WISP should include:

In a nutshell, these are the main NPI security components:

Multi-factor user authentication
Password management plan that requires unique login names and system

passwords to access systems containing NPI

Timely software updates
Physical security (including background checks)
Network and cloud security policies to protect NPI on IT systems and infrastructure
Development of guidelines for the appropriate use of information technology

Preparedness and Training

This summarizes the requirements of the Preparedness and Training Section:

Establish, and periodically test, a written business continuity and disaster

recovery plan

Establish, and periodically test, a written incident response plan designed to

promptly respond to, and recover from, a cybersecurity incident

Periodically review the Company’s security controls and the Company’s WISP and make appropriate changes to address emerging threats and risks to the

Company’s information systems and NPI

Establish a training program to guide management and employee compliance with Company’s WISP and awareness of current and developing cybersecurity threats

We also paraphrased the last three major requirements of ALTA Pillar 3 v4:

Comply with applicable federal and state laws pertaining to securely maintaining records containing NPI.

Select service providers, contractors, consultants, and third-party systems whose information security policies are consistent with the Company’s WISP, including software tools and resources which may have access to NPI or store records containing NPI as part of their setup or operation.

Establish a privacy policy explaining how data is collected and used and publish it on Company’s website(s) or provide information directly to Consumers in another useable form.

To sum it all up, there are significant technology and physical security measures required in the latest version of ALTA Pillar 3 for title and settlement services companies. These measures impact your choice of vendors, consultants, service providers, software, hardware, and cloud solutions.

And the new version of ALTA Best Practices takes effect on May 23, 2023.

We recognize that you’re focused on serving your clients, not on physical and cyber security policies surrounding the collection and maintenance of NPI.

That’s why it’s time to meet your ALTA Title Insurance and Settlement Company Best Practices Version 4 compliance team.

What To Do Next To Prepare For ALTA Pillar 3 Compliance

SME is here to assist title agencies from start to finish in order to successfully meet ALTA Best Practice 3. Here’s what you can expect:

Our team will perform a pre-assessment to determine your readiness level
Our team will lay out a comprehensive plan to help you organize your compliance efforts
Our team will recommend and implement security products and services as directed by your team
Our team will work with you and your team to document and report successful completion of Best Practice 3
We’ll be mindful of your budget and timeframe for implementation

Systems Management Enterprises, Inc. is a Virginia-based Information Technology and Security Company offering a variety of purpose-built, cost-effective solutions for your business needs.

We’ve been in business for over a decade—providing infrastructure services, managed security, compliance solutions, and technical support to small and medium enterprises in the title services space.

At SME, we have the experience, expertise, services, and solutions to help you maintain a secure, always-available, compliant technology infrastructure.

Do you have questions?

We’re here to help. Call us at 703-782-9140 or Schedule Your Free ALTA Best Practice 3 Assessment Today!

April 17, 2023 By Rich Westbrook

New Ruling on SPRS Score and NIST 800-171 Assessment

The Department of Defense (DoD) recently issued a final ruling that requires contracting officers to consider supplier risk assessments in the Supplier Performance Risk System (SPRS) when evaluating offers. This ruling is an effort to improve the cybersecurity of the defense industrial base (DIB) by encouraging contractors to implement strong cybersecurity measures and effectively manage their supply chains.

Under the old DFARS 7019 ruling, contractors were required to enter their score into SPRS with the assumption that contracting officers might be checking to confirm the score was in there before the decision was made to award a contract.

Contracting officers are now instructed by the final rule to consider assessments, if available, in determining contractor responsibility through the new solicitation provision called DFARS 252.204-7024, effective March 22, 2023. The new ruling makes checking the score a requirement before awarding a contract.

One of the key ways that contractors can improve their SPRS score, and therefore their chances of winning DoD contracts, is by completing a NIST 800-171 assessment. This assessment is a set of cybersecurity standards developed by the National Institute of Standards and Technology (NIST) that contractors must meet in order to do business with the DoD.

However, completing a NIST 800-171 assessment can be a complex and time-consuming process. That’s where Systems Management Enterprises (SME) comes in. SME is a leading provider of cybersecurity and compliance solutions for government contractors, and they can help contractors navigate the NIST 800-171 assessment process and improve their SPRS score.

SME offers a comprehensive suite of services designed to help contractors meet NIST 800-171 requirements and improve their cybersecurity posture. These services include:

NIST 800-171 Compliance Assessment: SME’s team of cybersecurity experts will conduct a thorough assessment of your organization’s current cybersecurity posture and identify any gaps or vulnerabilities that need to be addressed to meet NIST 800-171 requirements.
Plan of Action and Milestones (POAM) Development: SME will help you develop a comprehensive POAM that outlines the steps you need to take to address any gaps or vulnerabilities identified during the compliance assessment.
Cybersecurity Policy Development: SME can help you develop and implement cybersecurity policies and procedures that meet NIST 800-171 requirements and align with your organization’s overall cybersecurity strategy.
Employee Training and Awareness: SME can provide cybersecurity awareness training to your employees to help them understand their role in protecting sensitive information and preventing cyberattacks.

By partnering with SME, contractors can improve their SPRS score and demonstrate to the DoD that they are taking cybersecurity seriously. SME’s team of cybersecurity experts can help contractors navigate the complex world of cybersecurity compliance and ensure that they are meeting all relevant standards and regulations.

Contractors can improve their chances of winning DoD contracts by completing a NIST 800-171 assessment and improving their SPRS score. SME can help contractors navigate the assessment process and improve their cybersecurity posture, ensuring that they are well-positioned to compete in the DIB. Contact us to today to get started!

March 24, 2023 By Rich Westbrook

Spring Hardware Clean Up

Spring Hardware Cleanup Around The Office

Spring is the perfect time for businesses to take stock of their computer hardware and perform a thorough clean-up. Over time, hardware can accumulate dust and debris, leading to poor performance and potential hardware failures. But cleaning up your business’s hardware is not just about keeping things in good working order – it’s also about protecting your intellectual property and sensitive client data.

In this blog post, we’ll explore some tips for spring clean-up of computer hardware for businesses, including how to clean up business intellectual property and sensitive client data to ensure compliance with industry regulations.

Step 1: Physical Cleaning

The first step in spring cleaning your business’s computer hardware is physical cleaning. Dust and debris can accumulate on your computer hardware, causing it to overheat and malfunction. Start by shutting down your computer and unplugging it from the power source. Use a soft, lint-free cloth to gently wipe down the surface of your computer, including the keyboard and screen. For more stubborn dirt and grime, use a cleaning solution that is safe for computer use.

When cleaning your computer hardware, it’s essential to be gentle and avoid using harsh chemicals that can damage sensitive components. Don’t forget to clean the inside of your computer as well, using compressed air to blow away any dust or debris that may be clogging the fans or causing other issues.

Step 2: Back Up Important Data

Before you start deleting files or uninstalling programs, it’s crucial to back up any important data. This includes your business’s intellectual property, such as patents, trademarks, and copyrights, as well as sensitive client data, such as financial records, personal information, and confidential contracts.

Backing up your data can be done in a variety of ways, such as using an external hard drive, a cloud-based storage service, or a secure server. Choose the option that is best for your business and make sure that the backup is complete and up-to-date.

Step 3: Delete Unnecessary Files and Programs

Once you have backed up your important data, it’s time to delete unnecessary files and programs from your computer. This can help free up space on your hard drive, improve your computer’s performance, and reduce the risk of cyber attacks.

When deleting files, be sure to permanently delete them, so they can’t be recovered. When uninstalling programs, use the proper uninstallation process to remove all associated files and registry entries.

Deleting files and data can be an intimidating process. Why not let SME do this for you? We can ensure your company is deleting files properly and creating the proper documentation that will meet compliance requirements.

Step 4: Securely Dispose of Hardware

When it’s time to retire old computer hardware, it’s essential to do so securely. This includes wiping the hard drive clean of all data and physically destroying the hard drive if necessary.

SME can assist with secure data destruction and responsible disposal of electronic waste.

Step 5: Stay Compliant

Finally, it’s crucial to stay compliant with industry regulations when handling business intellectual property and sensitive client data. Depending on your industry, you may need to comply with regulations such as ALTA Best Practices, CMMC, or HIPAA.

Make sure that your business is up-to-date with all relevant regulations and that you are taking the necessary steps to protect your intellectual property and sensitive client data.

Keep Your Systems Running Smoothly with SME

Spring clean-up of computer hardware for businesses is an essential task that can help keep your systems running smoothly and protect your intellectual property and sensitive client data. By following these tips, you can ensure that your business is compliant with industry regulations and that your data is secure.

SME can conduct a thorough review of your tech hardware to provide you with a roadmap for the future. Get in touch with us today for your free consultation.

January 20, 2023 By Rich Westbrook

What Should Be Included in a Year-End Technology Infrastructure Review?

The ideal time to plan for the future is when the year is drawing to a close. Businesses usually start the year with the hope of growing and improving their operations. Technology dictates much of how businesses operate. So, it makes perfect sense to identify areas of optimization in your IT.

A year-end technology review gives you the chance to look at various areas of your IT. The goal is to take time to focus on improvements you can make to boost your bottom line along with the tactics required to lower the risk of a costly cyberattack.

The reality is that organizations that make use of technology generally tend to be more secure and do better.

Take some time this year-end to do a technology review in your organization with either a managed IT provider or your IT team. It will be a great way to set your organization up for success and security in the coming year.

What Are the Key Considerations When Reviewing Your Technology at Year-End?

The goal of the year-end technology review is to look at all areas of your IT infrastructure. Efficiency, security, as well as bottom-line considerations will be the key drivers for any future initiatives.

I. Technology Policies

People usually stop following technology policies that get outdated. So, review all your policies to see whether any of them require updating to reflect new conditions. For instance, if you now have some staff that work from home, ensure that your device use policy also reflects this.

Don’t forget to let your employees know when you do update policies. It gives them a refresher on important information. They might have forgotten some things since onboarding.

II. Disaster Recovery Planning

When did you last have an incident response drill in your organization? Is there a list of steps employees are required to follow in case of a cyberattack or natural disaster?

Set aside time to do disaster recovery planning for the coming year. It can also be a good idea to put dates in place for preparedness training and drills in the coming months.

III. IT Issues and Pain Points

It is never a good idea to go through a major IT upgrade without taking the employee pain points into consideration. Otherwise, you might end up missing some golden opportunities for improving staff well-being and productivity.

Survey your employees on their use of technology. Ask questions about their favorite and least favorite apps. Learn about the struggles they face. Find out how they feel technology may improve to make their jobs better. In turn, this will benefit your business. It will also help you target the most impactful improvements.

IV. Privileged Access and Orphaned Accounts

Part of the year-end review should be doing an audit of your privileged accounts. Permissions can be misappropriated over time, which can leave your network at a higher risk of a major attack.

You should make sure that admin-level permissions are only granted to those that need them. The fewer the privileged accounts in your business tools, the lower your risk. Compromised privileged account passwords open the door to disaster.

You should also look for any orphaned accounts while going through your accounts. These should be closed because they are no longer in use. Leaving them active poses a serious security risk.

V. IT Upgrade and Transformation Plans

Making IT decisions and upgrades “on the fly” can end up biting you. It is best to plan out a strategy beforehand so that you can upgrade in an organized way.

Have a vulnerability assessment done. It will give you a list of potential problems that your organization needs to address. Eliminating vulnerabilities helps improve your cybersecurity. Planning ahead helps you budget for upgrades and avoid unplanned expenses.

VI. Cloud Use and Shadow IT

Review how cloud applications are used in your organization. Are there some apps that are hardly ever used? Does your cloud environment have redundancies? The review will not only help you in reducing waste but also saving money.

You should also check for employee use of shadow IT. These are essentially cloud applications used for work purposes but didn’t go through approval. Management might not even know about them. Eliminate this potential security risk by either officially approving them or closing the accounts.

VII. Customer-Facing Technology

It is also important to look at the customer experience provided by your technology infrastructure. Go through your website and contact process just as a customer would.

If you find yourself getting frustrated by things such as website navigation, then your leads and customers may be too. Ensure that optimizations to your customer-facing technology are included in your new year plans.

Schedule a Technology and Security Assessment Today!

SME can conduct a thorough review of your technology environment to provide you with a roadmap for the future. Get in touch with us today for your free consultation.

May 24, 2022 By Rich Westbrook

DIBCAC Medium Assessments Are Coming To DIB Contractors

You may have missed it, but the CMMC Accreditation Body (CMMC-AB) hosted their March Town Hall Meeting on Tuesday, March 29^th. The meeting lasted about an hour and covered several topics surrounding the CMMC.

Topics included training and certification programs and the recent activities of the Defense Contract Management Association’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center, aka DIBCAC.

The team at SME wanted to share some of the most relevant, actionable information from the meeting with our customer base of DIB contractors.

DIBCAC Medium Assessments Are Coming To DIB Contractors

It‘s important to note that DIBCAC is starting to do random assessments, look into compliance documentation, check SPRS scores, and ask for additional self-assessment documentation.

But what are the need-to-knows for Defense Industrial Base contractors?

These are the issues from the CMMC-AB town hall that we’ll discuss in this post:

What type of assessments will DCMA be conducting, and what do DIB contractors need to be aware of?
What are the compliance risks and required actions from contractors?
Where can DIB contractors go for questions and clarification?

So let’s get started with some important notes from the town hall meeting. The full meeting notes are available from the CMMC-AB:

Mr. DelRosso (DCMA/DIBCAC spokesman) then provided an update on medium assessments, which the DCMA DIBCAC is initiating to provide acquisition insight into the DIB. They are a paper-based drill and will be of minimal impact to contractors. They will be used for companies who self-attested at a variety of levels and will include a review of System Security Plan (SSP) descriptions of how each requirement is met. The DCMA will look at high scorers and low scorers and see if there is any pattern that can be identified based on scores and sectors of the DIB to get a real understanding on what is going on. The DCMA DIBCAC will be checking some of these SSPs soon to get a sense of compliance within the ecosystem.

The medium assessments have started rolling out. It might be helpful to understand the difference between medium versus high assessments:

Medium assessments – paper-based review used for companies who self-attested at a variety of levels and will include a review of System Security Plan (SSP) descriptions of how each requirement is met.
High assessments – a medium assessment but a higher level review of documentation that is submitted which follows more methodologies

Here’s what you need to be aware of—if your organization has submitted a Supplier Performance Risk System (SPRS) score based on self-assessment, you still need to have a detailed system security plan (SSP) in place and available to DIBCAC personnel.

In fact, the absence of an SSP could invalidate your score, according to NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1:

i) Since the NIST SP 800-171 DoD Assessment scoring methodology is based on the review of a system security plan describing how the security requirements are met, it is not possible to conduct the assessment if the information is not available. The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.’

So what are the compliance risks and required actions for DIB contractors?

You never want to be at risk with DCMA/DIBCAC compliance. You could be subject to invasive document review requests, DCMA Corrective Action Requests (CARs), and ultimately disciplinary actions, loss of contracts, status revocations, etc.

When industry-tested, professional, cost-effective solutions are readily available, who needs any of that?

Where can DIB contractors go for questions and clarification?

If you don’t have a system security plan in place, get in touch with our team today.

You still have time to get all of your documentation in place.

With our DIB-contractor-tested Compliance Management Platform, we can crosswalk from NIST 800-171 to CMMC and DIBCAC medium assessments. We’ll help you identify any gaps. Our team of Registered Practitioners will work with your team to build an SSP and an accurate, compliant SPRS Score.

As a designated CMMC-AB Registered Provider Organization (RPO), SME is uniquely positioned to provide pre-assessment advice, consulting services remediation, and compliance recommendations to government contractors.

SME takes a different, more efficient approach to help our DIB clients achieve compliance. When you partner with us, you get a dedicated engineer who will help you build an action plan for a DCMA DIBCAC medium assessment.

At SME, we have a team of experts with all the extensive experience and certifications that it takes to keep up with today’s incredibly fast-paced world of cybersecurity. We are laser-focused on information security, so you don’t have to be.

Right now we’re offering a no-obligation SSP assessment at no cost to you.
Call us at 703-378-4110. Schedule Your Free SSP Assessment Today!

January 10, 2022 By Rich Westbrook

What Exactly Is Cyber Insurance—And Does Your Business Need It?

Those are two great questions. And we’re going to provide some answers.

We’re also going to discuss a nexus between CMMC certification and cyber insurance audit requirements that may enable you to kill two birds with one stone.

In this post, we’ll drill down into these three critical aspects of cyber insurance:

What is cyber insurance, and how does it work?
What are the business benefits?
Are there similarities between CMMC certification and cyber insurance audit requirements?

So what is cyber insurance, and how does it work?

Let’s start with a great definition from the liability experts at Hiscox Group:

A cyber insurance policy is designed to cover privacy, data, and network exposures. The list of regulations and statutes continues to expand regarding the use and protection of cyber security information, as well as notification requirements in the event of a breach. As cyber exposures continue evolving, so will your need to ensure that your business is protected if a cyber attack occurs.

Cyber insurance policies can vary from hundreds of dollars per year to tens of thousands. The cost of the policy will depend on a number of factors, including:

Type, quantity, and sensitivity of the information
Size of the IT enterprise—number and locations of servers, storage devices, etc.
Type and number of data and user access points and controls—web, employees, contractors, etc.
Current security vulnerabilities, etc.

Do the business benefits of cyber insurance outweigh the costs?

That depends on your business. Cyber insurance provides security breach and incident coverage over and above your general liability and professional liability insurance coverage. You can also design your policy to cover breach recovery costs, ransom and extortion costs, breach notification costs, loss of income, etc. Businesses should customize their policy to balance potential vulnerabilities and liabilities.

Additional business recovery costs can include hiring consultants to help with data recovery, replacement hardware and software, general IT consulting services, public relations costs, repairing a damaged business reputation, etc.

Some things that you’ll want to ask your insurance company about, related to costs that might not be covered, include:

Third-party lawsuits
Legal fees in general
Intentional, negligent acts on your company’s part
Property damage or physical injury
Acts of terrorism

Cyber insurance can be an extremely effective weapon against cyber crimes and data breaches. But it’s up to you and your team of IT security experts to find the right policy to fit with your overarching security management framework and infrastructure.

Are there similarities between CMMC certification and cyber insurance audit requirements?

The short answer to that question is yes. There is no absolute requirement standard for DoD contractors or related businesses to become CMMC certified or to buy cyber insurance at this time. But, as we point out in a recent post, CMMC compliance requirements are an inevitable reality. CMMC implementation timelines may also be moving closer than the original target date of October 2025.

The right cyber insurance policy might also be a powerful, cost-effective tool in your cybersecurity armament.

Both CMMC certification and the implementation of cyber insurance require an audit of your current security practices, policies, and infrastructure.

So we’re offering a complimentary initial security assessment for DoD small businesses, contractors, and subcontractors. This is an excellent opportunity to assess your cybersecurity environment for CMMC certification and cyber insurance at the same time.

And we’re providing the initial assessment at no cost to you.

At SME, we have a team of experts with all of the extensive experience and certifications that it takes to keep up with today’s incredibly fast-paced world of cybersecurity. We are laser-focused on information security, so you don’t have to be.

Are cybersecurity issues and potential threats keeping you up at night? Do you have questions about CMMC requirements for DoD contractors and small businesses? Let us handle your information security so you can focus on growing your business.

Take advantage of our no-obligation CMMC certification and cybersecurity insurance readiness assessment with no obligation and no cost to you.

Call us at 703-378-4110 Schedule Your Free Cybersecurity Assessment Today!

December 16, 2021 By SME, Inc.

CMMC 2.0. What You Need to Know

As a DoD contractor, you already know the road to CMMC compliance is full of twists and turns. Now, amid concerns about the costs and complexities of the process, the DoD has overhauled the Cybersecurity Maturity Model Certification once again, launching CMMC 2.0 in November.

CMMC 2.0 is the DOD’s efforts to streamline and improve earlier CMMC compliance requirements, specifically by revamping the five maturity levels into three. CMMC 2.0 maintains the program’s original mission of protecting sensitive information, but offers several other advantages for some government contractors:

Simplifies the standards.
Minimizes barriers to compliance.
Sets priorities for protecting DoD information.
Provides additional clarity on regulatory, policy, and contracting requirements.
Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.
Increases department oversight.

Collapse and Streamline of Levels

CMMC 2.0 still has a level 1, 2, and 3, but they are very different than the levels of CMMC 1.0. Levels 2 and 4 have been eliminated. Here’s a brief overview of what the new levels look like.

Level 1 mostly stays the same with 17 practices requirements, but third-party assessments are no longer required. Instead, an annual self-assessment will be required to certify compliance.

Level 2 (formerly level 3 in CMMC 1.0) will be aligned with the full 17 NIST 800-171 practices but eliminates all CMMC unique practices and processes. Assessments for Level 2 will be triennial third-party assessments for critical national security information and annual self-assessments for select programs.

Level 3 (formerly level 5 in CMMC 1.0) will use a subset of 100+ NIST 800-172 practices. Level 3 will require triennial government-led assessments.

The Interim Rule Is Still In Effect!

The Interim Rule is still in effect! NIST 800-171 Self-Assessment, SSP, POAM, and SPRS Score still stand. However, the timeline for contracts to include the CMMC level may possibly change from 2025 to 2023.

Confused yet? With the introduction of CMMC 2.0, it’s time to take a look at where you are now, what the new changes mean for your company, and where you need to go. SME can help you better understand 2.0 and how you can competitively position your organization by developing a plan on how to get there.

November 18, 2021 By SME, Inc.

DOJ and the New Cyber Fraud Initiative for False Claims

Cybersecurity is no joke. And that’s just the message that the Department of Justice (DOJ) is sending with its creation of the Civil Cyber Fraud Initiative. This initiative allows the DOJ to use civil enforcement of the False Claims Act (FCA) against government contractors and grant recipients who fail to follow required cybersecurity standards, jeopardizing U.S. information and infrastructure.

All government contractors should take this initiative very seriously. Failure to adopt and maintain cybersecurity best practices can mean reimbursing the government and taxpayers for losses incurred if your company fails to satisfy your cybersecurity obligations. In fact, for the fiscal year ending September 30, 2020, the DOJ collected more than $2.2 billion in settlements and judgments from civil cases involving fraud and false claims against the government.

SME can help you avoid DOJ scrutiny and potential FCA claims with our trusted cybersecurity tools that meet federal standards and regulatory obligations. We can help you implement a cybersecurity hygiene strategy so you can avoid FCA enforcement.

Give us a call at 703-378-4110 if you’re ready to learn more about how SME can help.

October 20, 2021 By SME, Inc.

CMMC Lessons Learned from a C3PAO

By now, DoD contractors already mired in the complexities of Cybersecurity Maturity Model Certification (CMMC) know one thing for certain: the process takes time—anywhere from six to 12 months, depending on the maturity of your company’s security level, policies, and procedures. If you want to continue to win government contracts, and you haven’t started the CMMC process yet, it’s crunch time, and a last-minute cram session won’t cut it in this case.

There is a LOT that goes into the CMMC certification process. While not all DoD contractor’s compliance journeys will be the same, those who are ahead of the game have some valuable insights that every organization can apply. To help ensure you start your CMMC efforts off on the right foot, here are some lessons learned by Certified Third-Party Assessor Organizations (C3PAOs).

Don’t Skimp on Standard Operating Procedures (SOP)

At CMMC Level 2, organizations are required to document a system security plan, practices, and policies that allow staff to perform processes that are repeatable and consistent. Best practices show that having robust, detailed, step-by-step procedures, including a well-defined purpose, scope and roles and responsibilities for each activity, is important for a successful CMMC.

Make an Incident Response Plan a Priority

Also high on the list of lessons learned is establishing a formal and proactive Incident Response (IR) plan and regularly test the plan to increase your organization’s ability to respond to security incidents.

Know Your Network Inside and Out

Get to know your network—and the people who use it—intimately! Start by performing an audit to accurately assess your network devices and approve all of the devices connected to your network, the applications and software they are running, including your email system, and create a list. And, know your data stored on your network. CMMC focuses mainly on protected controlled unclassified information (CUI) which can include software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, to name a few.

Get a Grip on Daily Cybersecurity Hygiene

Checking in on your organization’s cybersecurity measures everyday isn’t just a suggestion, but a must. And it’s much more than protecting passwords and telling employees not to click on phishing links. There are 5 levels of CMMC cybersecurity hygiene, each with their own requirements. One way to get a handle on daily cybersecurity hygiene—and show your due diligence—is through a dashboard-driven tool like SME’s state-of-the-art Compliance Management Platform, that gives you the visibility you need to know the real-time status of all your programs.

Need CMMC Assistance?

If you bid on DoD contracts, don’t wait any longer to start your CMMC certification process. SME will work with you to prepare and navigate CMMC and help you maintain your maturity levels. Give us a call at 703-378-4110 or email info@smeinc.net.

September 16, 2021 By SME, Inc.

IoT Security: Tips to Securing Your IoT Devices

The Internet of Things, or IoT devices are great! Not only do they provide automated, seamless assistance to normal, everyday life; they also make life simpler. Can’t remember if you locked the door before leaving? Open up the app for your Smart Door Lock and engage the lock. Want to make sure the house is the perfect temperature when you arrive? Smart thermostats like Nest, Ecobee, or HoneyWell can give you the ability to turn on the heat or AC before you even walk through the door; and who doesn’t like the sound of being able to make sure dinner is cooking and will be ready for when you get home from work? There’s a Smart Crockpot for that! Yes, seriously! Even a large majority of the TV’s sold in stores are Wi-Fi enabled.

As convenient and simple as these types of devices can make our everyday lives, they can also be something of a double edged sword, as they can come at a price that’s significantly higher than what the device itself actually costs. As with many of the electronic and internet enabled devices that we use in everyday life, IoT devices require a certain level of security, and ignoring this aspect when it comes to your IoT devices can do much more harm than good.

How IoT devices Can Make Us More Vulnerable

As with any device that connects to a network, hackers can use IoT devices to gain access and even a long standing foothold into your network, and this can happen from even the most unexpected of devices. Unfortunately, many of us are more concerned with getting these cool, new devices, getting them configured, and setup on the network so that we can start using them immediately; and as a result put the idea of securing the devices on the back burner.

So what exactly can be done to secure these IoT devices? Actually, there is quite a bit that can be done!

Use Your Own Network, Avoid Public Wi-Fi

It should go without saying that if you’re planning on trying out that new Wi-Fi enabled toaster, don’t connect it to a public Wi-Fi network. In the rare, off chance that you absolutely have to connect the device to a public network, use a Virtual Private Network (VPN).

Setup and Use a Guest Network

Guest networks are simple to set up and configure and provide an extra layer of security to your network. This is especially true in the case when you have visitors who want to use your Wi-Fi, either at home or in the office. The guest network can provide them with access to the network and of course to the internet, but it secludes them from entering into the main network so they can’t actually access any of the other devices or system connected to the main network.

It’s recommended to also use a guest network for your IoT devices, such that in the off chance that one of the devices is indeed compromised, then the threat actor (hacker) will be trapped within that guest network and unable to access your personal devices on the main network.

Always Reconfigure Every IoT Device

Whether you receive it as a gift or purchase it as soon as it hits the shelves, every IoT device that you plan to connect to your network needs to be reconfigured during setup. This doesn’t mean you have to take the device apart to “hack it”, all this simply means is setting up a strong, complex, and secure password for the device, as well as the email or federated login account you’re using to set up the device.

Use Strong Passwords

Just as we mentioned above, make it a habit of using strong, complex passwords for all the devices that you connect to your network and the accounts that you may end up creating for these devices. People often have a tendency of reusing the same password for many of their devices and accounts, what is even worse is the fact that most of these passwords are simple, and can either be easily guessed, or cracked by hackers.

Also make a habit of using Two-Factor Authentication (2FA) if the account or device allows it.

Always Know What Is Connected to Your Network.

It should go without saying that you should always be cognizant or aware of what devices are connected to your network. Many of today’s wireless network routers come with easy to access and user friendly administrative interfaces that can be used to find out exactly what devices are connected to your network. However there are some routers that are setup and configured using an app, and these apps also allow the same type of administrative check.

Ensure Devices are Updated

When initially setting up a new IoT device, always make sure to check and see if it has any current software/firmware updates that can be applied. Also, another even more helpful feature to have is auto-updates, so if the device has this capability, enable it. Be sure to make a habit of checking to see if the device needs updating.

IoT devices and the technology that drives them have a seemingly unlimited potential to assist us in our daily lives, but do not disregard the risks. You can purchase the most highly rated, most expensive IoT device on the market that was created by the top companies in that field, but at the end of the day, the security of IoT devices and that of your network is up to your and the amount of time and level of protection that you are willing to take.