How and Why NIST and CMMC Standards are a starting point for All Small Business

Every business, whether large or small, well established or new on the block, needs to take their internal security seriously. This includes their cybersecurity. Even small start-up businesses often find themselves trusted with highly sensitive information, one example being Personal Identifiable Information (PII) such as email and physical addresses, phone numbers, names, and more. By applying the simple NIST standards such as 800-171a, which is also Cybersecurity Maturity Model Certification Level 1 (CMMC ML1), to your business, you can demonstrate that you have a foundation of basic cyber hygiene, which is key to maintaining the trust of your customer base and developing a positive reputation as a business. 

Why Is My Small Business a Target?

Many CEOs, especially those running fresh start-up companies, question how and why their small business could possibly be a target of hackers. After all, if you are struggling so hard to break into an industry, market your products, and bring in regular customers, you aren’t exactly rolling in cash. Having the correct level of Managed IT and Cybersecurity services in place to mitigate your risk is similar to insurance. You don’t think you need it until you need it.

The truth is, many hacks are becoming more automated, which means that your website can be sniffed out and attacked even if you don’t rank high on the early pages of a search engine. Many small businesses do not have secure online defenses, which makes them much easier targets than larger companies. Even small businesses may hold large amounts of money, not to mention private customer data (such as login information) that a hacker may try to exploit for even bigger gains down the road; For example, by testing a password that was used to open an account on a small business’s website is also the same password used for bank accounts or other websites where money may be stored, such as Amazon.

A security breach can result in huge financial losses that your company may not be able to recover from. A breach can also be devastating to your reputation, especially as a small business, so it is crucial that you seek out a partner that stands with you to improve your cyber resilience as soon as possible, in order to give your company the best chance at protecting against cyber attacks.

Current Cyber Threats

Hackers lurk around every corner of the Internet, or possibly even across your street. The Cybersecurity & Infrastructure Security Agency (CISA) releases regular alerts about recently discovered security incidents as they are reported. You can track current cyber threats on their Current Activity page. Some of the top cyber threats that could affect your small business are:

• Phishing
• Ransomware
• Malware
• Viruses
• Insider threats
• Weak passwords
• International conflicts and wars

Now, Who Needs CMMC Certification?, you ask.

As of November of 2021, the Department of Defense suspended version 1 of the CMMC program and is currenting in the rulemaking process for version 2. When rulemaking is complete the DoD will begin the rollout of CMMC assessment and validation will become mandatory for any business that contracts with the Department of Defense.

How Do I Obtain CMMC Certification?

There are three different levels of CMMC certification (known as maturity levels) and you must first determine which one applies to your small business. Most small businesses will fall into Maturity Level 1: the Basic Cyber Hygiene level.

ML 1 requires an officer of your company to “Self-Attest” each year in writing that the organization is indeed in compliance with the 17 requirements in 800-171a. Once you confirm the maturity level that your business requires, in order to be certified, you must prove that your small business is safely protecting valuable customer data with basic cyber hygiene as documented by the scoping and assessment documentation. ML 2 and ML 3 will require you to pass a third-party audit conducted by a CMMC Third Party Assessment Organization (C3PAO) or the Department of Defense DIBCAC respectively. Regardless of maturity level it is highly recommended that you work alongside a Registered Practitioner (RP) and Register Practitioner Organization (RPO) that has the training and has demonstrated the knowledge to receive this designation. To learn more on selecting an RPO