Business Owner’s Guide to CMMC
Ep 14: Risk Assessment
Watch episode 14 of our Business Owner’s Guide to CMMC series with Ben Scully (Avatara) and Dan Langley (Lupa Advisors), or read the transcript below. Subscribe to our YouTube channel for more episodes containing actionable insights and an overview of each CMMC domain.
BEN: So what are we thinking about risk assessment?
DAN: Risk assessment is actually, just as it sounds, you’re assessing the risk to your organization both from a high-level business standpoint and then you’re also doing the technical piece that says, I’m checking to see if I have any vulnerabilities. And if I do have those vulnerabilities, how do I remediate those vulnerabilities?
BEN: Yeah, and I think that latter one, that is, to me, one of the most important things that you can be doing. And a lot of times within a kind of a small or mid-sized organization it needs to be outsourced. Because oftentimes, you know, small or mid-sized business don’t have the expertise. But I know here, at Avatara, we have an outsourced 24×7 security operations center, and we do vulnerability scans every weekend. And from that there are POAMS or plans of actions (high, medium, low) that our cyber security team is working on every week. So while the high level risk assessment is this quarterly or annual business conversation around, “What would happen to my revenue, what would happen to my customers, what would happen to my employees if we were to hit with one of these cyber attacks? And how do I plan for that accordingly?” That has to happen. But what is also captured within this category, two very different things, is what is the the daily practice of assessing to make sure that you’re keeping up with all the threat factors that continue to change out there in the environment.
DAN: And how you’re going to address those if they do happen. It’s the opportunity to sit here with this category and say, overall, from a business standpoint, what happens if the power goes out? How am I going to function? Do I have backup power? Do I have backups and how am I controlling those? Because I may need to go to another site. So, it’s your chance, as a business, to really look at this. With CMMC, they look at it with the DUI goggles on. But it really says, what am I going to do so when something bad happens? Okay, I can respond.
BEN: Right. Good.
Watch Episode 15 on Security Assessment.
Need help getting compliant?
Avatara’s DoD Platform is a turnkey solution for centralized data and easier compliance. Schedule a free consultation today to learn more.