Issue link: https://iconnect007.uberflip.com/i/1475010
70 SMT007 MAGAZINE I AUGUST 2022 people in operations should be able to access operations data; sales folks should have access only to sales specific folders and files; and the same for each of your departments, functional areas, or lines of business. en within each of those, access to data needs to be defined by the individual's job description. Despite my client's level of preparedness, the entire process of bringing them into com- pliance took nearly the full six months. As I explain why, ask yourself if your organization might face similar challenges. Part of that time was used in setting up a compliant physical environment for their servers, which required changing both the room's location and retrofit- ting fire suppression and HVAC. But the refit of the server environment wasn't the most time- consuming piece. It was defining, developing, and training folks on the new IT policies and procedures, including a security and disaster recovery plan. ese things do not happen overnight, and because each company is different, off-the- shelf plans won't work. Your plans must be customized to your technology environment and the people and machines that connect to it. Customize Your Plan Like other manufacturers, this company had a diverse technology environment—one that had grown in fits and starts over time. is is perfectly natural; companies usually add peo- ple, equipment, and technology based on actual or projected demand and opportunities as they arise, sometimes over the course of decades. But as a result, no one in this company had a complete knowledge of their full IT environ- ment, literally everything that connected to its network, every user's every device, every bit of production equipment, every soware pro- gram—even the smart refrigerator and vend- ing machines in the breakroom. Of course, we needed to perform a vulnerability scan of the entire network and anything that connected to it over time. It's not enough to examine a spe- cific day, we must look at the network over a good chunk of time to get a real sense of what's happening. Some of you will be in the same position; you will find that you are already following certain practices pretty well, but without a gap anal- ysis your remediation efforts are like shooting arrows in the dark. You can't begin, let alone pace, a reasonable remediation program until you know what you need to remediate. Further, you must allow for production downtime for certain tasks, and for the fact that other tasks will have to be done off hours, by someone who knows what they are doing. All these will affect your timeline. Now think about your company. Even if you have an in-house IT person, this work will require three to six months of an FTE's effort. Who will be stepping in to backfill your IT per- son's day-to-day responsibilities? Find an Expert Level One compliance relies on an annual self-attestation, and this attestation must be signed by the owner, CEO, or another C-level executive. Here's my prediction: Some small business owners will try to do this on their own, and will check boxes, believing they are doing things properly according to CMMC. Sooner or later, however, a customer, a ven- dor, or a prime with IT security experts who know these requirements inside and out will come along and say, "Show me." Despite my client's level of preparedness, the entire process of bringing them into compliance took nearly the full six months.