Don’t Hit the Snooze on Cybersecurity

Reading time ( words)

I have good news for small manufacturers looking for ways to stand apart from the competition: By delaying the launch of the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) may have done you a favor. They’ve handed you a golden opportunity to zig when everybody else is zagging.

If your competitors are small- and mid-sized businesses that supply the DoD, their concerns aren’t too different from yours. They’re probably aware that CMMC requirements are coming, but that’s an IT issue, so it’s not a top-of-mind concern—especially compared to labor shortages, supply chain issues, inflation and so on. They know that cybersecurity is important, but it’s tangential to operations—like having locks or alarms on the building. Sure, this CMMC stuff is coming, but it doesn’t seem urgent. Whenever a deadline gets close, there is another delay. It is as if there was a regulatory hurricane forming somewhere out in the open ocean; it might be headed our way, so we will keep half an eye on it and hope it dissipates or turns before making landfall.

As everyone knows, waiting until the hurricane has knocked out a good part of the local power grid is a poor time to go shopping for a generator.

While the DoD works out the details and timing of CMMC 2.0, its basic, foundational elements are easy to predict. As Bob Dylan put it, “You don’t need a weatherman to see which way the wind blows.” Eventually, and well before the deadline, CMMC requirements will make their way into more and more federal contracts. Clearly, those companies that have moved toward compliance already will have a much easier time certifying, but compliance is not the only business benefit to cybersecurity. As strange as it might sound, certification itself might be the least important—for now, anyway.

Your advantage will come from simply understanding, documenting, and establishing basic protection of your digital environment and processes before most of your competitors do. That might sound like a lot, but it’s essentially taking an inventory, identifying the most important items and biggest threats, and safeguarding them appropriately.

It’s Just Baseline Security
Instead of looking at CMMC as yet another set of regulations, we encourage our clients to see it as a description of baseline security—similar to the way ISO sets out basic quality standards. You might be ISO certified already, without regulations telling you to be. You do it because it’s a good practice, and your customers expect you to have it.

CMMC is not much different. Certification will show your customer base that you have taken the steps necessary to protect their data and your own operations. The protections necessary for Level 1 certification will be all that most of you will truly need. They amount to basic risk avoidance, not that different from requiring hearing protection, safety glasses, or safe processes in your production environment. We can take potential customers on tours of the shop floor, but not the digital sub-floor, so to speak, on which operations rest.

Because we can’t visualize our networks, it’s hard to see risks in them—until something happens. But what if we could see? Imagine your budget spreadsheets, payroll information, confidential client files, or other mission critical documents were only available in hard copy. Would you keep them piled in front of an open window, stack them next to a fireplace, leave them in the hands of a disgruntled employee, or give them to someone you bumped into on the street to deliver to your customer or accountant? If you saw any of these things, you’d stop everything and make sure these key items were locked in a fireproof, water-tight safe to which only you and a few trusted staff had the combination.

To read this entire article, which appeared in the January 2021 issue of SMT007 Magazine, click here.


Suggested Items

The Double-edged Sword of CMMC 2.0

06/06/2022 | Divyash Patel, MX2 Technology
For the past few years, those whose SMT provider organizations supply or contract with the U.S. Department of Defense (DoD) have been hearing about—or even gearing up for—implementation of the Cybersecurity Maturity Model Certification program, better known as CMMC. By this, I mean that you were gearing up for CMMC 1.0. Today, we have CMMC 2.0, and there are a number of changes in the new version that impact both the standards for compliance and how you certify that compliance—especially if you run a small business.

Real Time with... IPC APEX EXPO: Super Dry Matches Storage to Your Needs

01/12/2022 | Nolan Johnson, I-Connect007
In this interview, Editor Nolan Johnson and Richard Heimsch of Super Dry preview the key criteria for component moisture management. If you can’t make it to IPC APEX EXPO, don’t worry. We’ll be bringing you interviews with the engineers, managers and technologists who are making a difference in our industry. To listen to this Real Time with… IPC APEX EXPO interview with Kaitlyn Dotson, click here.

Navigating the Supply Chain Storm with ICAPE

12/08/2021 | Barry Matties, I-Connect007
Guillaume Chauvet of ICAPE Group, vice president of sales-Americas East, discusses managing the supply chain through transportation issues, raw material shortages, and longer production times. He also details how he helps customers manage different suppliers and divergent technologies. "As we’ve grown, we have opened a big office and lab in China to control the quality of our Asian suppliers," said Chauvet. "Now we also have inspectors in the factory who just check the quality of the product directly out of the lines. We send the product to the lab to validate the sample before the customer receives the boards."

Copyright © 2022 I-Connect007. All rights reserved.