Smithers CMMC and Cybersecurity Resource Library
Have Questions? Scan through our extensive library of resources to find your answers.
.jpg?ext=.jpg)
Cybersecurity and Proper Process
Recently, an state institution's audit uncovered that the organization had mistakenly transferred $400,000 to a fraudulent vendor. Although the institution is not part of the DIB, this case is illustrative of why, in the CMMC ecosystem, a C3PAO (CMMC Third-Party Assessor Organization) is required to certify a contractor's compliance with CMMC for Level 2 and above.
How do fraud or cybersecurity incidents happen?
In the case of this institution, a fraudulent vendor approached and said that they needed the organization to change bank accounts. The institution made the change, but the alleged new banking account was just a scam. There was no process in place to vet either the new vendor or the bank account they wanted the institution to use. To put it more simply, there was no protective process to prevent this kind of event.
Preventing financial and cybersecurity attacks
Most cybersecurity frameworks, like the NIST CSF, ISO 27001, or CMMC will stress the importance of a few key factors.
- Create internal processes that management approves
- Train all members of the team on these processes
- Document the processes and log any issues the organization experiences so these gaps can be remediated
Cybersecurity incidents occur in similar ways. A perpetrator will call asking for an employee by name, saying that employee said they were going to send the perpetrator funds. Without proper internal processes and validations, it's very easy to hand over information and create a significant financial and/or cybersecurity incident.
CMMC is Never Done
As Defense Contractors face CMMC compliance, it is important to remember that passing the 110 NIST SP 800-171 controls is just the beginning of the security journey. Processes need to be tested constantly, employees from top to bottom need to be trained constantly, and the organization must update documentation and tactics as threats evolve and change.
What Questions Do You Have?
If you are worried that a cybersecurity or financial incident could strike your organization through simple human error, you are playing it smart. Most cybersecurity incidents occur because of innocent, insider errors. How can you secure your CUI as well as the rest of your organization's data? Let's talk.