Don’t Hit the Snooze on Cybersecurity

Estimated reading time: 3 minutes

I have good news for small manufacturers looking for ways to stand apart from the competition: By delaying the launch of the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) may have done you a favor. They’ve handed you a golden opportunity to zig when everybody else is zagging.

If your competitors are small- and mid-sized businesses that supply the DoD, their concerns aren’t too different from yours. They’re probably aware that CMMC requirements are coming, but that’s an IT issue, so it’s not a top-of-mind concern—especially compared to labor shortages, supply chain issues, inflation and so on. They know that cybersecurity is important, but it’s tangential to operations—like having locks or alarms on the building. Sure, this CMMC stuff is coming, but it doesn’t seem urgent. Whenever a deadline gets close, there is another delay. It is as if there was a regulatory hurricane forming somewhere out in the open ocean; it might be headed our way, so we will keep half an eye on it and hope it dissipates or turns before making landfall.

As everyone knows, waiting until the hurricane has knocked out a good part of the local power grid is a poor time to go shopping for a generator.

While the DoD works out the details and timing of CMMC 2.0, its basic, foundational elements are easy to predict. As Bob Dylan put it, “You don’t need a weatherman to see which way the wind blows.” Eventually, and well before the deadline, CMMC requirements will make their way into more and more federal contracts. Clearly, those companies that have moved toward compliance already will have a much easier time certifying, but compliance is not the only business benefit to cybersecurity. As strange as it might sound, certification itself might be the least important—for now, anyway.

Your advantage will come from simply understanding, documenting, and establishing basic protection of your digital environment and processes before most of your competitors do. That might sound like a lot, but it’s essentially taking an inventory, identifying the most important items and biggest threats, and safeguarding them appropriately.

It’s Just Baseline Security
Instead of looking at CMMC as yet another set of regulations, we encourage our clients to see it as a description of baseline security—similar to the way ISO sets out basic quality standards. You might be ISO certified already, without regulations telling you to be. You do it because it’s a good practice, and your customers expect you to have it.

CMMC is not much different. Certification will show your customer base that you have taken the steps necessary to protect their data and your own operations. The protections necessary for Level 1 certification will be all that most of you will truly need. They amount to basic risk avoidance, not that different from requiring hearing protection, safety glasses, or safe processes in your production environment. We can take potential customers on tours of the shop floor, but not the digital sub-floor, so to speak, on which operations rest.

Because we can’t visualize our networks, it’s hard to see risks in them—until something happens. But what if we could see? Imagine your budget spreadsheets, payroll information, confidential client files, or other mission critical documents were only available in hard copy. Would you keep them piled in front of an open window, stack them next to a fireplace, leave them in the hands of a disgruntled employee, or give them to someone you bumped into on the street to deliver to your customer or accountant? If you saw any of these things, you’d stop everything and make sure these key items were locked in a fireproof, water-tight safe to which only you and a few trusted staff had the combination.

To read this entire article, which appeared in the January 2021 issue of SMT007 Magazine, click here.