Select Page
5 Ways EstesGroup Helps with Your CMMC Compliance

5 Ways EstesGroup Helps with Your CMMC Compliance

You might be reading this post if you are researching Cybersecurity Maturity Model Certification (CMMC), your company needs to become compliant, or your company is already compliant with CMMC but you have need of more IT services. In 2019 the Department of Defense announced a new cybersecurity protocol named CMMC that all DoD contractors (and some of their supply chains) would need to adhere to starting in 2020. There are 5 Levels of CMMC Certification, and EstesGroup can be an asset to companies in any of the levels.

 

5 Ways EstesGroup Helps with Your CMMC Compliance

  1. EstesGroup helps you identify the technology and/or services you need to meet your CMMC Level Requirements.  
  2. EstesGroup can improve your Process Maturity by helping evaluate your Procedures, Policies, or Practices. Once we’ve reviewed those processes, we can help update them to ensure you meet your CMMC Level and other compliance requirements. 
  3. There are 17 Domains that CMMC is built on. EstesGroup has the experience, tools, and services to support your business across nearly all of these domains.  
    • EstesGroup routinely deploys tools and managed services that directly support these CMMC domains: 
      • Access Control, Asset Management, Audit and Accountability, Configuration Management, Identification and Authentication, Maintenance, Recovery, Risk Management, Security Assessment, Situational Awareness, Systems and Communications Protection, and System and Information Integrity. 
    • EstesGroup can consult on and support technology used in these domains as well, but these domains typically require internal personnel or a third party on-site.  
      • Awareness and Training, Incident Response, Media Protection, Personnel Security, Physical Protection, and Risk Management 
  4. EstesGroup Managed Services (ERP Hosting ECHO & Managed IT) employ many of the standard Cybersecurity measures required for CMMC. We regularly monitor our internal and client assets for threats, perform preventative maintenance, and update technology or processes to meet or exceed cybersecurity requirements.  
  5. EstesCloud Hosting (ECHO) services enable many CMMC requirements without significant impact to you, your users, or your bottom line. By hosting your servers or software solutions in a managed cloud environment, you can compartmentalize your compliant systems and protect them at the highest CMMC levels, without locking down your whole office. For more details, see our page on EstesCloud Hosting for Aerospace & Defense  

 

 

To Learn about CMMC, read our blog What is CMMC: Cybersecurity Maturity Model Certification?”

 

EstesGroup is a Managed Service Provider who works with Manufacturing and Distribution companies by providing: ERP Hosting (ECHO), Managed IT, Epicor ERP, and Prophet 21 ERP services.

 

Have questions about CMMC or do you want more information on how EstesGroup makes companies more secure? Contact Us or fill out the form below.

 

What is CMMC: Cybersecurity Maturity Model Certification?

What is CMMC: Cybersecurity Maturity Model Certification?

CMMC: The Looming Cyber-Security Certification that Affects 60,000+ Companies. 

 

In 2019, the U. S. Department of Defense (DoD) announced a new security protocol program for contractors, called Cybersecurity Maturity Model Certification (CMMC). CMMC is a DoD Certification process that lays out a contractor’s security requirements and it is estimated that between 60,000-70,000 companies will need to become CMMC compliant in the next 1-3 years 

 

CMMC is basically a combination and addition to existing regulations in 48 Code of Federal Regulations (CFR) 52.204-21 and the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and includes practices from National Institute and Technology (NIST) 800-171, the United Kingdoms’ Cyber Essentials, and Australia’s Essential Eight requirements. International Traffic in Arms Regulations (ITAR) will remain a separate certification from CMMC; though companies that are ITAR Compliant will need to adhere to CMMC as well. 

 

CMMC Version 0.7 was released in early December 2019, and it is expected that Version 1.0 will be released to the public by end of January 2020. To view the latest CMMC document, visit the CMMC DoD site. 

 

CMMC Notables 

  • There are 5 Levels of security maturity process (basic is 1 and most stringent is 5) 
  • Any company who directly or even some who indirectly does business with DoD will adhere to CMMC – that means direct DoD contractors and high level CMMC companies’ supply chains must adhere to at minimum base level requirements 
  • No Self-Assessment (unlike NIST) Companies need to get certified through a qualified auditing firm 
  • DoD will publish all contractor’s certification levels requirements 

Is My Business Affected by CMMC? 

 

This is easily answered with a 2-part question: 1, is your business a direct contractor to the DOD, or 2, does your business do business with a company that is a contractor to the DoD*? If you answered “yes” to question 1, then your business will need to be CMMC compliant. If you answered “yes” to number two, then it is very probable that your company will need to be CMMC compliant. 

What are the CMMC Levels? 

  • Level 1 – “Basic Cyber Hygiene”  
    • Antivirus 
    • Meet safeguard requirements of 48 CFR 52.204-21 
    • Companies might be required to provide Federal Contract Information (FCI) 
  • Level 2 – “Intermediate Cyber Hygiene” 
    • Risk Management 
    • Cybersecurity Continuity plan 
    • User awareness and training 
    • Standard Operating Procedures (SOP) documented 
    • Back-Up / Disaster Recovery (BDR) 
  • Level 3 – “Good Cyber Hygiene”
    • Systems Multi-factor Authentication 
    • Security Compliance with all NIST SP 800-171 Rev 1 Requirements 
    • Security to defend against Advanced Persistent Threats (APTs) 
    • Share incident reports if company subject to DFARS 252.204-7012 
  • Level 4 – “Proactive” 
    • Network Segmentation 
    • Detonation Chambers 
    • Mobile device inclusion 
    • Use of DLP Technologies 
    • Adapt security as needed to address changing tactics, techniques, and procedures (TTPs) in use by APTs 
    • Review & document effectiveness and report to high-level management 
    • Supply Chain Risk Consideration* 
  • Level 5 – “Advanced / Progressive” 
    • 24/7 Security Operations Center (SOC) Operation 
    • Device authentication 
    • Cyber maneuver operations 
    • Organization-wide standardized implementation of security protocols 
    • Real-time assets tracking 

One important thing to note about CMMC, is that unlike NIST and other current certifications, CMMC will require certification from an authorized 3rd Party CMMC authorized certification company. Currently, most companies can self-certify for DoD-related securities. EstesGroup is not a CMMC Certification Company, but we can help companies prepare and get their security up to requirements.

For more specifics on CMMC, access the latest DoD’s CMMC Revision.

 

Learn more about CMMC with 5 Ways EstesGroup Helps with Your CMMC Compliance

 

Do you have questions of CMMC or how EstesGroup can help your company with CMMC? You can Contact Us or make a comment in the form below.

 

12 Days of ECHO, Sixth Day: My Admin Gave to Me a Fix for Microsoft IIS Log Sprawl!

12 Days of ECHO, Sixth Day: My Admin Gave to Me a Fix for Microsoft IIS Log Sprawl!

On the Sixth Day of ECHO, my admin gave to me, some tips about Microsoft Internet Information Services (IIS) and log files!

 

Every Epicor E10 and Prophet 21 Middleware server uses Microsoft Internet Information Services (IIS) to get their job done.  And by default, IIS creates a log file on the C: drive for every day it’s running.  Often, we can see how long a server has been running by counting IIS log files.  However, chances are great you don’t ever look at those log files!  Therefore, we recommend disabling the IIS logs in IIS Manager to save the I/O and disk space.  If you need the logs for auditing, we suggest putting them on another volume and marking them with NTFS compression for best performance.  After that, a weekly script to delete the oldest files will keep things neat and trim.  FORFILES /P C:\inetpub\logs /s /*.LOG /D – 30 “cmd /c del @FILE” is my go-to command. 

 

If you liked reading the “Sixth Day of ECHO” return to our main list to read all of the other “12 Days of ECHO” posts.

 

Do you have questions or need assistance with your Epicor system?  Please feel free to Contact Us and see if we can help get your bits and bytes in order.

12 Days of ECHO, Fourth Day: My Admin Gave to Me Tips on SQL 64k Clusters!

12 Days of ECHO, Fourth Day: My Admin Gave to Me Tips on SQL 64k Clusters!

Tips on SQL 64K Clusters and Epicor SQL Services Database Bytes

 

Microsoft SQL likes to do all it’s input/output in 64k chunks, but Windows likes to format hard drives in 4K chunks called “clusters”. Studies have shown that formatting the volumes that store SQL databases and transaction logs benefit from 64k clusters – up to 35% better performance!  To check what your cluster size is, open an Elevated Command Prompt and type “CHKDSK D:” (where D: is where your databases are stored).  The line with xxx bytes in each allocation unit” should say 65536, and not 4096.   

 

If you find your server admin formatted with the default 4096 allocation unit, then changing is easy – just kick everyone out of Epicor, shutdown the SQL services and backup the entire volume.  Then, reformat with 64k clusters and do a volume restore.  Restart SQL services (and your Epicor Task Agent) and let the users back in! 

 

Sound like too much for you to handle? 

Give us a call or send us a message, our Database Admins’s would be happy to assist. 

 

Liked this tip and trick, read our other 12 Days of ECHO Posts by following this link.

 

Have feedback or a specific questions, feel free to submit a comment in the form below.

12 Days of ECHO, Second Day: SQL Licensing

12 Days of ECHO, Second Day: SQL Licensing

On the First Day of ECHO, my System Admin gave to me, SQL Licensing!

 

You probably already know that Microsoft SQL Server is required for Epicor 10 and Prophet 21, but do you know if you are in Microsoft compliance? SQL licensing can be confusing, but in most cases, it can be broken down to either “by core” or “by user”.  There is an exception for SQL Enterprise licensing on a hypervisor, but that’s a specialized case. Most smaller organizations use SQL Standard Edition, as opposed to the more expensive and capable Enterprise Edition.  Likewise, most Epicor clients use the “By core” licensing model as opposed to the “by user” model. 

 

In short, if you are running SQL In the “per core” licensing model, each 2 cores that are available to the SQL server must have the appropriate licenses – with a minimum 4 cores.  If you have more than one SQL server, then you must have a minimum of 4 cores licensed PER server!  Keep in mind that the SQL Engine and the SQL Reporting Services are both licensed software, and if they are split to different servers, they EACH must have appropriate licenses. 

 

We’ve seen instances of clients who increase their SQL Server CPU core count to see if they get faster processing, but often end up violating their license agreement and creating expensive problems when Microsoft Auditors come knocking.  Likewise, splitting the SQL Engine and the SSRS functions will increase your license count. 

 

One small consolation prize – multiple instances of SQL on the same OS do not require additional licensing beyond the first instance.  Therefore, you might find some benefit to running another SQL instance on the same server to split queries.  (See our future blog 11th Day of ECHO: Separating OLTP and DS – detecting and avoiding deadlocks) 

 

The downside is that all SQL licenses are on an honor system – the application does NOT keep track of licenses, so it’s your job to make sure you’re in compliance! 

 

Till next time, keep the holiday cheer! 

 

If you liked reading the “Second Day of ECHO” return to our main list to read all of the other “12 Days of ECHO” posts.

 

Do you need assistance managing your SQL licenses or database administration?  Please feel free to Contact Us and see if we can help get your bits and bytes in order.

The Unique Family Dynamics of a Successful ERP Implementation

The Unique Family Dynamics of a Successful ERP Implementation

Tolstoy famously remarked that “all happy families are alike; each unhappy family is unhappy in its own way.”  Reflecting on Tolstoy’s own relations and on the kindred lives of the characters in his novels, I’ve often wondered if Enterprise Resource Planning (ERP) implementations are like families, and whether such categorical statements could be similarly applied to successful and unsuccessful families of projects.  While every project has its own unique dynamics, I’m obliged to believe that roughly the inverse of Tolstoy’s statement is the case—that each happy ERP implementation isn’t alike, but rather is successful in its own way.

 

That is, I’ve seen successful ERP implementation projects that have differed from one another in surprisingly significant ways.  As such, it might be best to review successful ERP projects individually and try to understand what it is among them that made them successful.  Anyone can wax eloquent on the generic platitudes that lead to a successful implementation, but in practice, when the time comes to make tradeoffs between platitudes, it’s helpful to know how companies work through challenges and finally arrive at successful implementations.

 

One project that we recently completed fit such a mold.  While not free of obstacles, the end-product was immensely successful.  A number of key factors led to the ERP implementation’s success:

  • All of the team members were engaged and onboard.  Getting the team to buy into the project’s mission, and actively support that mission, was never a problem.
  • The project team did a large amount of their own end-to-end testing.  Unlike some projects, where the team only tests while the consultants are onsite, the team verified their system configuration and business processes whenever possible, leading to a rock-solid business process at cutover.
  • The team took ownership of issue resolution.  The team dug in, tried things out, and came to solutions.  This served to greatly shorten certain phases of the project.
  • The team made decisions quickly, collaboratively.  The project was rarely, if ever, waiting on a key decision, and nobody on the team could have been accused of analysis paralysis.
  • The team took responsibility for their roles and did the work on time, and on schedule.  Schedule attainment was a high priority, and the team put the necessary work in to make things happen.
  • The team displayed a culture of respect, staying respectful during difficult conversations and decisions.  The stresses involved in an ERP project can at times encourage dysfunctional or toxic behaviors, but this team treated each other with a high degree of respect, even when working through the toughest decisions.
  • The team’s project management was of the highest capabilities, displaying excellent collaboration and communication with the core team, and with the EstesGroup team as well.

The net result was a successful ERP implementation project on-time and on-budget, with the expected level of system capabilities.  The team experienced a clean and quiet cutover, and quickly stabilized.  Within a short time, the company had moved onto managing daily operations and planning for the future.

Every project has its wayward sheep, be they executive sponsorship, excessive customization, inadequate team investment, or challenges with data conversion.  No project ever checks all the happy boxes. 

 

But in spite of challenges, the best companies still manage to successfully implement their enterprise systems, keeping their team engaged, committed, and dependable—regardless of all the unique twists in their project’s DNA. 

 

Are you ready for your company to create its own exceptional implementation story? 

Come talk to us, and we’ll share some of the greatest success stories of ERP history—prosperous implementations similar in success, yet nuanced in achievement—stories that can inspire your own project to be a story with a happy ending.