By P. Devon Schall, CISSP, RDRP
As I work with clients on assessing their posture with the RMF control families, I am consistently amazed at how many businesses see cybersecurity as an afterthought. More and more often I conclude that many small to medium sized DoD contractors would not implement cybersecurity controls unless required to. The conversation of cybersecurity comes up when these companies discover their contractual RMF obligations. Unfortunately, upon the “do RMF” discovery, they realize they are not prepared for the financial and workload magnitude of the requirement. Some common statements are, “we have so many other more important things than RMF to do” and “RMF is not increasing our bottom line.” With or without expansive budgets, companies must come to the table with cost effective cybersecurity defensive strategies. The three suggestions below provide solutions to strengthen cybersecurity posturing with ever tightening budgets while satisfying some of those pesky RMF security controls.
1. Introduce “Lunch and Learn” events that reinforce cybersecurity awareness training for your staff. After all, people are the biggest risk in cybersecurity. Implementing a few trainings sessions yearly is far less costly than1. Introduce “Lunch and Learn” events that reinforce cybersecurity awareness training for your staff. After all, people are the biggest risk in cybersecurity. Implementing a few trainings sessions yearly is far less costly thanhaving a cybersecurity incident. These cybersecurity trainings will also satisfy Awareness and Training (AT) RMF controls. We often take non-technical staff members for granted and assume they think about cybersecurity as much as we do. In reality, they may forget about their annual cybersecurity awareness training as quickly as they registered for it.
2. Consider choosing a member of your IT staff and authorizing them to obtain a credential such as CompTIA’s Security+ or the gold standard, Certified Information System Security Professional (CISSP) offered by (ISC)2. By getting a member of your IT staff certified, you’re creating expertise and showing your staff that you believe in investing in them. Contrary to popular belief, these exams can be “cleared” with minimal financial investment, and if CISSP is too intensive, take a look at Security+ which is much more approachable and a good jumping off point.
3. Consider engaging a Virtual Information Systems Security Officer (vISSO) or a Virtual Chief Information Security Officer (vCISO). Every large company, at the very least should have a dedicated CISO on staff, but for a smaller business full-time CISOs may be out of reach. Virtual ISSOs or CISOs can be put on retainer, hired by project, or provide a block of monthly support hours. Having these kinds of experts provide expertise that may be out of scope for a local hire.
