Business Owner’s Guide to CMMC
Ep 5: Awareness & Training
Watch episode 5 of our Business Owner’s Guide to CMMC series with Ben Scully (Avatara) and Dan Langley (Lupa Advisors), or read the transcript below. Stay tuned weekly for new episodes containing actionable insights and an overview of each CMMC domain.
BEN: Alright, Dan, so let’s talk about awareness and training, the second category. So, high level, what are we looking at here?
DAN: What you’re looking at is pretty much the roles that you have within your organization. Are they security aware? From a big animal picture, it comes down to this…you have to create a security culture. People have to say, what I’m touching today is important information and I have to secure it. And everybody’s role in the company is going to be different…if you’re a secretary, if you’re an engineer, if you’re the operator on a CNC machine. In those environments, do they have the right training? Do they have the knowledge of thinking, “am I doing this in a secure way?” A lot of those things, from a company perspective, we address in policies. For example, we have a policy in place that says an engineer cannot just put a CD in, copy the drawings, and carry that CD over to share it with another company. That’s not a secure way of transferring vital information. I’m sure in your experience working with companies, you’ve come across different roles.
BEN: Yeah, at a high level, there’s two things. There’s the generic cybersecurity training that has to happen quarterly or whatever timeframe. That’s generic across the entire organization. And then, as you mentioned, there’s kind of role-specific security training that has to happen. How does the CNC operator move data through the organization? Or, as you mentioned, how do you share data appropriately with external constituents? Well, that may be different at the engineering level or the account management level from the person that’s operating that machine. So, the organization needs to understand within their different roles what sort of specific role-based training has to happen, so that the organization comes together all doing the right things culturally from a security standpoint.
DAN: Yeah, that’s very good.
Watch Episode 6 on Audit & Accountability.
Need help getting compliant?
Avatara’s DoD Platform is a turnkey solution for centralized data and easier compliance. Schedule a free consultation today to learn more.