Issue link: https://iconnect007.uberflip.com/i/1469343
58 SMT007 MAGAZINE I JUNE 2022 share awarded money with whistleblowers. (Full disclosure, I am a cybersecurity expert, not an attorney, but I do know how to use Google and put two and two together. For instance, in fiscal 2020, the DOJ took in more than $2 billion under the FCA.) is raises some questions in my mind. Is it a coincidence that CMMC 2.0 now requires the annual affirmation be signed by a senior com- pany official? How liable is that official? To what? What if you signed an affirmation based on an assessment your people made—without intent to defraud—and it is later deemed insuf- ficiently detailed or rigorous? We just don't know at this point. My intention here is not to scare you, but to warn you. I've worked with many, many busi- ness owners, and I can tell you that very few of them were deeply familiar enough with their cybersecurity practices and policies to find any gaps. But they will be the ones who sign their names to an attestation. In practice, however, I think the vendor community will hold each other account- able for compliance before the government does. Likely, the government will get involved either aer there has been a data breach or other cybersecurity problem, or aer being contacted by a whistleblower. How will other vendors—especially downstream ones— ensure your compliance? I think it will become commonplace for them to present you with cybersecurity questionnaires and to expect you to be able to prove your answers. Fortunately, the 17 controls that form the base of Level 1 compliance are relatively straightforward. You'll find they are essentially setting standards. For example, here are the first four controls, taken directly from Federal Acquisition Regulation 52.204-21 Basic Safe- guarding of Covered Contractor Information Systems. (1) e Contractor shall apply the follow- ing basic safeguarding requirements and proce- dures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the follow- ing security controls: (i) Limit information system access to autho- rized users, processes acting on behalf of autho- rized users, or devices (including other informa- tion systems). (ii) Limit information system access to the types of transactions and functions that autho- rized users are permitted to execute. (iii) Verify and control/limit connections to and use of external information systems. (iv) Control information posted or processed on publicly accessible information systems. (v) Identify information system users, pro- cesses acting on behalf of users, or devices. How would you be able to prove these things? Document them. Have written records, sup- plemented by screenshots where you can. I'd suggest you get started now if you haven't yet. I think we will see vendors asking questions about these baseline cybersecu- rity controls well before the CMMC 2.0 rules come out. For those of you who have IT pros on staff, getting this done is simply a matter of delega- tion. For those of you who do not, it's going to take some leg work and possibly some out- side support. Either way, once you think you've achieved compliance, you might benefit from having an outside expert check your documentation, processes, and protocols for things you may have missed. e stakes are already high and will only increase as time goes on. SMT007 References 1. 52.204-21 Basic Safeguarding of Covered Con- tractor Information Systems. | Acquisition.GOV Divyash Patel is president of MX2 Technology.