Gathering my management team together to tackle Cybersecurity Maturity Model Certification (CMMC) was the most important step. In a small business, you only have so many people available. We do not have an IT position on staff. In addition to myself, STRYKER has an operations manager, human resources and finance manager, production manager and business development manager.
These were the people that I brought together as my CMMC team. It would be impossible for one person alone to implement the changes necessary to conform to the standards set forth by The National Institute of Standards and Technology (NIST).
When we signed the contract with our selected MSP, our first project was to have them come in and do a risk assessment. This didn’t take too much of my team’s participation. The consultant basically set up shop in an extra office and penetrated our networks and systems.
In this two day audit, the first was “hacking” day and the second day was the presentation of his findings. He shared with us our strengths and weaknesses. It was an overwhelming feeling to know that we were not where we should be, so we took some time to digest the information.
After we gave our MSP the “go ahead,”, we had a conversation regarding the plan of action. He prepared a POAM (Plan of Actions and Milestones) document for us to work from. We started to check things off the to-do list, delegating projects and bringing in the third parties necessary to achieve our goals. We worked together to solve multiple issues rather quickly and have already found successes.
Throughout this CMMC journey, I will continue to share my experiences as a small-business owner and the realities of the CMMC process for STRYKER. If you are also considering this cybersecurity journey, follow along to reap the benefits of what we’ve already come to learn.