The Impact of NIST SP 800-171 Revisions on CMMC Compliance

Maintaining compliance with the evolving Cybersecurity Maturity Model Certification (CMMC) requirements is crucial for defense contractors and organizations. In this article, we’ll explore the recent revisions of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and their direct impact on CMMC compliance. As a leading provider of cybersecurity solutions, Back To Business I.T. aims to empower defense contractors with the necessary insights to navigate these changes effectively.

Understanding NIST SP 800-171 serves as the baseline for protecting Controlled Unclassified Information (CUI) on nonfederal systems and organizations. These guidelines establish essential security requirements that federal agencies and government contractors must follow when handling sensitive information. CUI encompasses data such as intellectual property, health information, and critical energy infrastructure information. Compliance with NIST SP 800-171 is a prerequisite for defense contractors seeking to secure Department of Defense (DoD) contracts.

The Impact of NIST SP 800-171 Revisions on CMMC Compliance

The revisions in NIST SP 800-171, particularly the upcoming Revision 3, significantly influence the compliance landscape for defense contractors pursuing CMMC certification. Let’s explore how these revisions affect CMMC compliance:

Enhancing Alignment: NIST has aligned the language of SP 800-171 Revision 3 with the closely related SP 800-53 Rev. 5, enabling defense contractors to apply the technical tools and controls outlined in SP 800-53 to achieve CMMC compliance. This alignment streamlines the implementation process and ensures a consistent approach to cybersecurity.
Strengthening Security Requirements: The revised NIST SP 800-171 places increased emphasis on cybersecurity, reflecting the evolving threat landscape and state-level espionage targeting CUI. The new requirements address specific threats to CUI and incorporate state-of-the-practice cybersecurity controls. By adhering to these enhanced security requirements, defense contractors can bolster their cybersecurity posture and better protect sensitive information.
Simplifying Implementation: NIST SP 800-171 Revision 3 introduces clearer instructions and specific criteria, reducing ambiguity and facilitating easier implementation. This streamlining of requirements simplifies the compliance process and enables defense contractors to align their cybersecurity practices with the latest industry standards.
Aligning with Future CMMC Levels: The revisions in NIST SP 800-171 provide a foundation for future CMMC levels beyond Level 3. By incorporating the enhanced security requirements and alignment with SP 800-53 Rev. 5, defense contractors get a head start in preparing for future CMMC levels, ensuring a smooth transition as the certification evolves.

To achieve CMMC compliance, defense contractors must remain up-to-date with the revisions in NIST SP 800-171.

The upcoming Revision 3 brings enhanced alignment, strengthened security requirements, simplified implementation, and a forward-looking approach to future CMMC levels. By effectively understanding and implementing these revisions, defense contractors can ensure their cybersecurity practices meet the rigorous standards required for DoD contracts.

Back To Business I.T. is committed to supporting defense contractors on their journey towards CMMC compliance, and we’re ready to provide tailored cybersecurity solutions. Take the first step today by scheduling a gap analysis with our expert cybersecurity consultants.

Department of Defense prepares rollout of national cybersecurity standards

By Tyler Greenwood, Vice President of Back To Business I.T. (originally published in the Dayton Business Journal)

Cyber incidents like the SolarWinds attack in 2019 and the Colonial Pipeline ransomware attack in 2021 have the U.S. Department of Defense (DoD) taking urgent action to strengthen national cybersecurity regulations.

A report released last November found most prime contractors (and their subcontractors) hired by the DoD in the last five years failed to meet minimum cybersecurity standards, putting U.S. national security at risk. Security gaps in the federal supply chain have been well known for years, but attempts to fix them have failed.

Enter: CMMC

In response to heightened security risks, the DoD introduced Cybersecurity Maturity Model Certification (CMMC) program. Its goal is to ensure any company involved in the federal supply chain is protecting controlled unclassified information.

Under CMMC guidelines, more than 300,000 contractors must meet 110 NIST SP 800-171 controls, which the government sees as a reasonable cyber risk management approach. In addition, 80,000 of these organizations must complete a third-party assessment and certification to continue bidding on defense contracts.

When will CMMC certification be required?

The DoD is expected to release a final rule on CMMC framework by March 2023, which means contractors could start seeing requirements in RFPs/RFIs as early as May.

If your business is one of the 80,000 contractors that requires an outside assessment and certification, you may have less than a few months to do so. Failure to achieve compliance before the published rule could mean leaving money on the table and losing the ability to do business with the Department of Defense.

Getting started

If your company is still in the beginning stages of CMMC compliance, the time to act is now. Preparation and implementation of the following requirements can take upwards of 18 months. To get started on compliance, contractors should immediately:

Work toward meeting the 110 controls in NIST SP 800-171.
Identify their Supplier Performance Risk System (SPRS) score.
Create a system security plan (SSP).
Document plans of action and milestones (POA&M) to demonstrate how you intend to close any gaps for controls not yet met.

Next steps

If your organization has already started on CMMC compliance, consider conducting a preliminary self-assessment to see if you satisfy requirements. This can provide a range of helpful information to ensure you have everything functioning as expected once you’re ready to formally self-attest or go for your official certification.

If your business wants consultative guidance, including assistance walking you through standards you didn’t meet, explaining why, and offering suggestions on closing those gaps, you might find it beneficial to work with a CMMC Registered Provider Organization (RPO), such as Back To Business I.T.

As a full-service I.T. firm and the region’s leading CMMC-AB RPO, Back To Business I.T. can help you achieve NIST SP 800-171 compliance as well as help you prepare your plan of action and milestones (POA&M) and system security plan (SSP) required for CMMC certification. Learn more at www.backtobusinessit.com/cmmc-readiness.

8 Spooky Cybersecurity Statistics To Help You Prepare For The Worst

A cyberattack is a scary event. It can shut down a business, cripple a government, and even incapacitate an entire country if the right measures aren’t taken to prevent it from happening.

THIS HALLOWEEN, WE BRING YOU EIGHT SPOOKY CYBERSECURITY STATISTICS THAT EMPHASIZE THE DANGERS OF CYBER THREATS AND URGE YOU TO PREPARE FOR THE WORST.

54% of small and medium-sized businesses (SMBs) say their I.T. departments are not sophisticated enough to handle advanced cyberattacks. (Sophos)
As of February 2022, there were 8.77 million new pieces of malware circulating the Internet of Things (IoT) and mobile app stores. (AV-TEST)
A ransomware attack takes place against a business every 14 seconds. (Cybersecurity Ventures)
91% of SMBs haven’t purchased cyber liability insurance, despite awareness of risk and the likelihood that they would be unable to recover from an attack. (Cybersecurity Magazine)
Almost 89.7% of US businesses saw at least one successful cyberattack within a 12-month period. (CyberEdge Group)
53% of business leaders agree that remote work has made it much easier for hackers and cybercriminals to take advantage of them. (Norton)
50% of data breach incidents involve phishing and social engineering. (Trustwave)
On average, only 5% of companies’ folders are properly safeguarded. (Varonis)

A large number of organizations still remain unprepared for a cyberattack – please be proactive and prepare now by contacting us – we can implement multi-factor authentication, roll out company-wide security training campaigns, and implement policies and procedures to help you keep your business and sensitive data protected. Don’t become a cybersecurity statistic!

Common Sense and Cybersecurity

Earlier this month, Colonial Pipeline’s operations came to a halt after a ransomware attack orchestrated by DarkSide, an Eastern European cybercriminal organization. It took several days after the May 7 attack for the company to begin restarting parts of their systems as well as the mainlines. The effects were widespread and felt by most of us – gas prices at the pump fluctuated almost immediately.

As a society, we are becoming increasingly desensitized to news like this. Cyberattacks happen so often, it seems, that it’s hardly news. So why is it that so many businesses still don’t take cybersecurity seriously? There’s a shroud of mystery surrounding cyber – the media portrays hackers as hooded criminals lurking in a dark room. And while cybercrime methods change constantly, there are measures companies and individuals can take to protect their data. Those steps aren’t mysterious; they’re not hidden. Maybe they’re so simple – so rooted in common sense – that it’s easy to overlook them, and dismiss their importance.

“The problem with common sense is that it is not so common.”

Maybe it’s easy to dismiss simple ways to implement cybersecurity because “well, everyone knows to do that.” The truth is maybe not everyone knows. Maybe “common sense” isn’t as common as we would like to think. For example – do you lock your doors when you’re not home? Chances are you do. It’s one of the most basic things to prevent entry and protect what’s inside. One of the easiest ways to protect your business data is to password protect your computer systems. This most rudimentary of security measures, which costs nothing to implement is still not being used by many businesses.

Along the lines of common sense, let’s revisit the events following the Colonial breach. Gas prices increased, media coverage heightened awareness of a potential (temporary) shortage. Some people took to the pumps to fill up before it got worse. Others took more drastic measures, filling up plastic bags with gasoline. Common sense would tell (most of) us it’s a bad idea to fill a plastic bag with gasoline, but the truth is not everyone has the same thought process and the same information. So much so that the US Consumer Product Safety Commission announced on social media that it was, in fact, a bad idea to fill plastic bags with gasoline.

Do not fill plastic bags with gasoline.

— US Consumer Product Safety Commission (@USCPSC) May 12, 2021

This is an extreme case, most of us probably understand why it’s not a good idea to fill a bag with gasoline. But many businesses are doing the cybersecurity-equivalent of this, likely without realizing it. For example, if your company has data on computers that aren’t password-protected, or even protected by passwords such as “password1234” – that’s a potentially disastrous situation.

Cybersecurity: Start with common sense

Cybersecurity for your business doesn’t have to be complicated, unattainable, and cost-prohibitive. It would be irresponsible for us to reduce cybersecurity to just password-protecting your computers – but the truth is that you can start with simple steps like that. The password illustration is easy to understand but is by no means the gold standard as far as security measures go. Using common sense – perhaps the best of the senses – can help jumpstart your cyber approach. Your business technology is unique; your cybersecurity strategy should be unique, too. We can start where you are – whether that is as simple as password-protecting your systems or as complicated as monitoring network traffic for anomalies. Every business that uses technology in some way is vulnerable to cyberattacks, from pipelines to pop-up boutiques. Don’t wait until something disruptive brings your operations to a halt. Let’s start today.

Contact our team to talk about cybersecurity solutions for your business, from the tried-and-true to the cutting edge.

Protect Your Identity and Learn About BEC Scams

Today is the first annual Identity Management Day! We join the National Cybersecurity Alliance and the Identity Defined Security Alliance to raise awareness and share resources for identity protection.

Protecting our data and promoting privacy is becoming more important to the wellness and security of our lives both professionally and personally – and not just on Identity Management Day. Cybercriminals are continually evolving their strategy and tactics to compromise their targets; it is paramount that end users stay aware of the dangers that lurk beyond the firewall.

One of the most common threats seen today are “Business Email Compromise” scams – or BECs. These involve criminals impersonating key organizational staff or vendors – perhaps an executive, HR, or other members of leadership – with the end goal being the fraudulent transfer of money.

The most common type of BEC scam is invoice or payment fraud.

65% of organizations faced BEC attacks in 2020.
In 2020, BEC costs increased rapidly, from $54,000 in Q1 2020 to $80,183 in Q2.
In 2020, 80% of firms experienced an increase in cyberattacks.
62% of BEC scams involve the cybercriminal asking for gift or money cards.
Payment/invoice/billing scams skyrocketed by 155% in 2020.

Don’t become a cyber statistic! Read on for tips on how to recognize (and avoid) these increasingly popular email scams.

Be Skeptical

If it seems strange, investigate. Last minute changes in instructions or recipient account information is a red flag that something could be wrong. Trust your gut.

Don’t Click it

Verify information related to any contacts associated with the request. If it is a vendor requesting something, do not contact them through information provided in email – use trusted information on file. If you get a strange request from someone you work with, call them on their known phone number. A quick call can save a big headache!

Double Check that URL

If there is a URL in the email, make sure it’s associated with the business it claims to be from. Discrepancies are a likely indicator that hostile actors may be involved.

Spelling Counts

Make sure to check for misspellings in domain names. Cybercriminals will often exploit similar names, hoping that the recipient will only glance at it and not realize it is different. Writing style will also be very simple and brief with little information added.

Look for Other Clues

Does it seem strange that the CEO is contacting you personally, via email, with an urgent request? Is a manager, with whom you just had a meeting, asking you to send money? Are you receiving invoices from clients that you aren’t responsible for? All of these are common tactics that are used that can be caught by paying attention to oddities.

See Something? Say Something!

If something looks suspicious, report it to your I.T. department or your MSP! If you’ve been of victim of a BEC scam, file a detailed complaint with www.ic3.gov.

Want to learn more about how to protect yourself and your business from cybercriminals?

Back To Business I.T. specializes in creating and managing secure I.T. environments and has the tools and experience to provide proactive, customized cybersecurity training for businesses of all sizes. Don’t become a cyber-statistic! Get in touch today and let us help you take steps to ensuring your cyber safety.

7 Cybersecurity Tips for SMBs

7 cybersecurity tips for small and medium-sized businesses (SMBs), brought to you by Back To Business I.T.

Antivirus and Filters

Scanning your systems regularly to detect malware and potential vulnerabilities should be at the top of the list when it comes to cybersecurity measures. Putting web and email filters in place can help block nefarious traffic and messages from ever reaching your systems.

Restrict Access

Along the same lines of defense as Antivirus and Filters, use restrictions to limit staff access. The same way you restrict departmental access depending on where a person works, it’s a good idea to implement internet restrictions. This way employees are limited to the websites they can access on company computers – and thus lessen the risk that they’ll wander into some dark alley on the internet.

Train Your Staff

One of the biggest cybersecurity risks any company faces is its people. To err is human, right? And err we do. Phishing emails are the most common cyberattack, and how over 90% of successful breaches begin. Educate your staff on best cybersecurity practices. Our cybersecurity awareness training offers not only educational materials, but simulated training exercises to test employees’ preparedness in a safe sandbox environment. Contact us to learn more.

Step Up Your Authentication Game

Setting up multi-factor authentication means that system access has a two-layer protection. Requiring both a password and a pin, for example, will likely reduce your risk of unauthorized access. Much like having biometric and pin or pattern access on your phone protects your data from prying eyes – two-factor authentication on your systems can keep your data safer.

Patch and Update, Faithfully

Clicking that ‘update later’ button is usually a bad idea. Updates ensure your system has the latest information on potential vulnerabilities. Patching does just that – patches certain ‘holes’ or fixes bugs in the system. This is part of why it’s critical to use up to date hardware/software – so you can be sure the manufacturer is working constantly to keep it as secure as possible.

Back Up Your Data

In the case of a breach, having your data backed up can make the difference between paying the ransom or not. Cybercrime isn’t the only reason to back up your data though – as other events can affect system functionality and disrupt your business. In the context of cybersecurity, it can give you the upper hand. If your data is securely backed up, there’s usually less down time in the event of an attack.

Have a Cybersecurity Policy in Place

All the good intention in the world won’t take the place of a solid information security policy. Make sure your staff is aware of the processes and best practices for cybersecurity in your company. You’ve worked hard for your business, protect its future.

Here at Back To Business I.T., we’re a business too. We have the same concerns and face the same challenges. Our customizable solutions are meant to change as your business grows – fitting your needs, and your budget. Take your business to the next level with a technology partner you can trust. Contact us today!