What is Cybersecurity?

[Bev D]

Ah yes the ‘joys’ of using a laptop or PC that runs Windows software. At one company I worked at, we had an entire testing line that started rejecting product immediately after a Windows update occurred. It was horrible. We couldn’t fix it and so we had to regress the testers back to the previous version and protect them from automatic pushes from Microsoft because we had to have them on our internal network for data collection, etc. It took supreme effort to keep IT from updating the computers or reconnecting them to the enterprise wide network. Eventually after several years MS eliminated the code that was troublesome and we could revert to ‘normal’ operation. The internal ego fights over this were epic…

Hacks and data corruption and self-imposed programming ‘failures’ take many forms and have numerous consequences.

 

[Sam.F]

Hi everybody thank you for your responses. We are looking into getting help from an outsource to handle cybersecurity because our IT won't handle it. And i will just forward them all cybersecurity related paperwork to whoever we hire . See attach questions i get and now i will just forward everything to the new hired.

 

[Sam.F]

See i was just worry because i was getting all this emails from customers asking about cybersecurity. But now i already talked to my boss and someone else is going to take care of all this.

 

[Keal19]

Quick question--we are looking at Cybersecurity in anticipation of future defense work, so we are in the midst of working to be in compliance with NIST 800-17 per DFARS 252.204-7012, and CMMC 2.0. Do we need to restructure our QMS documents to align with any specific guidelines?

 

[Cari Spears]

Quick question--we are looking at Cybersecurity in anticipation of future defense work, so we are in the midst of working to be in compliance with NIST 800-17 per DFARS 252.204-7012, and CMMC 2.0. Do we need to restructure our QMS documents to align with any specific guidelines?

Welcome to the cove!
Our IT Manager wrote some procedures that I added to our controlled documents, and I had to make a few minor revisions to our DPD procedure. Otherwise, business as usual.

 

[Keal19]

Welcome to the cove!
Our IT Manager wrote some procedures that I added to our controlled documents, and I had to make a few minor revisions to our DPD procedure. Otherwise, business as usual.

Thank you!

We were nervous that we would have to re-categorize everything. Our IS department has us helping with process and helping to write policies/procedures. This makes me feel better.

 

[Kronos147]

Quick question--we are looking at Cybersecurity in anticipation of future defense work, so we are in the midst of working to be in compliance with NIST 800-17 per DFARS 252.204-7012, and CMMC 2.0. Do we need to restructure our QMS documents to align with any specific guidelines?

Waking an old thread.

I am just about to guide our organization through the process. I got some good info off of some threads here at the Cove. No surprise there!

We will be going through the CMMC 2.0 checklist and seeing what we have in place (a Gap Assessment) to see what we have in place the meets the requirements of DFARS 252.204-7012 and NIST 800-17. If I understand correctly, we will then be better suited to pick a model.

The plan is to integrate the requirements into the current management system and associated documented information. Revise the Quality Manual, our procedures for Control of Documented Info, and create an Info Security Procedure. Integrated audits, integrated management review, and integrated objectives.

Conduct the first round of internal audits. Have a special management review, if required.

Engage the services of a registrar (what is it, an O3CRS? Sorry, my notes at the office) and schedule audits.

Any words of wisdom at this juncture would be appreciated.

 

[Jake with the Calipers]

It happened! We had our first government contract come through that included language about CMMC 3rd Party certification:

"RD005: Cybersecurity Maturity Model Certification (CMMC) Level 2 Certified Third-Party Assessment Organization (C3PAO) Phase In Requirement (November 10, 2025 – November 10, 2028)"

It's not a hard requirement yet to be "CMMC Level 2 Third-Party Certified" but it is evidently being phased into contracts.

We have been performing the self assessment the past few years to 100+ controls as outlined in NIST 800-17 through the SPRS portal and consider ourselves compliant to CMMC Level 2 for self assessment complete with procedures, forms, and work instructions outlined in our QMS and DFARS flow-down to our subs but does anyone have reliable third-party auditors lined up for this yet? Anyone go through the process to get a CMMC Level 2 Third Party certification?

I get spammed by a few emails a week from random CMMC certification companies that are really trying to push their services like used car salesmen. As this requirement creeps closer to reality, maybe less than two years away, we want to be proactive but also don't want to be taken for a ride.
______________________________________________________________________________________________________________________

Edit to add some resources that may help folks get started: https://www.sprs.csd.disa.mil/nistsp.htm and https://www.dla.mil/Small-Business/Resource-Center/Cybersecurity-Resources/#cmmc-requirements