Issue link: https://iconnect007.uberflip.com/i/1472190
JULY 2022 I SMT007 MAGAZINE 19 there was an announcement that by this time next year, you must comply with CMMC level one self-attestation. A lot of companies are fall- ing way behind already. Johnson: Is this a process that is best suited with a consultant or a contractor? Patel: Yes, because even with CMMC Level 1, there could be a lot of ambiguity translating what the DoD is really looking for. IT has one set of understanding, but you need to organize it in such a way that you can self-attest com- pliance. You need methods in place to main- tain and control it. You must make sure that the people are following the process and not just doing it to comply with the self-attestation requirement. is must be taken very seriously and maintained properly. Leaders of an organization must take a better approach to security overall. is is a big deal. It could result in business interruption, loss of revenue, and worst case, shut down their com- pany. It could affect their reputation. A consul- tant can help you protect yourself. Matties: Would you recommend using Level 1 CMMC as an audit? Patel: Yes, or more accurately, as a self-attes- tation exercise. Level 1 has the foundational pieces in place, whether it's CMMC or another standard that comes out two years from now. I caution, though, not to do it for the acronym. As I have said many times, manufacturing businesses must take these things seriously. e manufacturing sector is an older industry, and they typically have systems in place that, once they start producing, get le alone. Companies don't go back later and check that they're still secure. Matties: I think you're bringing up a good point. Your IT department is going to help set up the capture points, the sensors, and all the servers, but it must be an ongoing process. It's going to take a business intelligence or a cybersecurity intelligence person or consultant. Patel: Yes, exactly; maintaining and monitor- ing is key. For example, in ISO 9001 a docu- ment control department helps maintain qual- ity management systems related to its pro- cesses and procedures. It's a similar thought, similar concept; it's an ongoing process. The Cybersecurity ROI: Implementing on a Budget Matties: Aside from the business shutdown of a ransomware attack, how does someone jus- tify the ROI? Are there silver linings where they may find some new capacity opportu- nity? For example, as an assembly house, I'm spending a lot of money on this because I have to. It's like buying insurance; protect- ing yourself against a catastrophic event. If we put that protection aspect aside, are there any operational ROIs that they may benefit from? Maybe because you're now following some cybersecurity protocol, your equipment is being updated and maintained in a more effi- cient and optimal way, which is giving added capacity? Patel: Yes, that's true, but it's not exactly like buying insurance, because insurance won't help protect you from ransomware or help you win more business. While security is an added expense to any manufacturing company, if you have these security protocols and documents in place, you will have credibility in the eyes of the market. You'll gain the confidence of your customers. Furthermore, having compliance certifications in general can attract more busi- ness for an organization. If other companies are not doing this or not taking these things seriously, those vendors will lose potential business opportunities. As far as the investment, let's say you bud- get $1,000 every month. is will allow you to put the right security protocols and com-