CMMC: The Looming Cyber-Security Certification that Affects 60,000+ Companies
In 2019, the U. S. Department of Defense (DoD) announced a new security protocol program for contractors called Cybersecurity Maturity Model Certification (CMMC). CMMC is a DoD Certification process that lays out a contractor’s security requirements, and it is estimated that between 60,000-70,000 companies will need to become CMMC compliant in the next 1-3 years.
CMMC is basically a combination and addition to existing regulations in 48 Code of Federal Regulations (CFR) 52.204-21 and the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and includes practices from National Institute and Technology (NIST) 800-171, the United Kingdoms’ Cyber Essentials, and Australia’s Essential Eight requirements. International Trafficin Arms Regulations (ITAR) will remain a separate certification from CMMC – though companies that are ITAR Compliant will need to adhere to CMMC as well.
CMMC Version 1.0 was released late January 2020. To view the latest CMMC document, visit the CMMC DoD site.
CMMC Notables
There are 5 levels of the security maturity process (basic is 1 and most stringent is 5).
Any company that directly (or even some that indirectly) does business with DoD will adhere to CMMC –and that means direct DoD contractors and high-level CMMC companies’ supply chains must also adhere to, at minimum, base level requirements.
There is no self-assessment (unlike NIST), and companies need to get certified through a qualified auditing firm.
DoD will publish all contractor’s certification levelrequirements.
Is My Business Affected by CMMC?
This is easily answered with a 2-part question: 1) Is your business a direct contractor to the DoD, or 2) does your business do business with a company that is a contractor to the DoD*? If you answered “yes” to question 1, then your business will need to be CMMC compliant. If you answered “yes” to number two, then it is very probable that your company will need to be CMMC compliant.
What are the 5 CMMC Levels?
Level 1 – “Basic Cyber Hygiene”
Antivirus
Meet safeguard requirements of 48 CFR 52.204-21
Companies might be required to provide Federal Contract Information (FCI)
Level 2 – “Intermediate Cyber Hygiene”
Risk Management
Cybersecurity Continuity plan
User awareness and training
Standard Operating Procedures (SOP) documented
Back-Up / Disaster Recovery (BDR)
Level 3 – “Good Cyber Hygiene”
Systems Multi-factor Authentication
Security Compliance with all NIST SP 800-171 Rev 1 Requirements
Security to defend against Advanced Persistent Threats (APTs)
Share incident reports if company subject to DFARS 252.204-7012
Level 4 – “Proactive”
Network Segmentation
Detonation Chambers
Mobile device inclusion
Use of DLP Technologies
Adapt security as needed to address changing tactics, techniques, and procedures (TTPs) in use by APTs
Review & document effectiveness and report to high-level management
Supply Chain Risk Consideration*
Level 5 – “Advanced / Progressive”
24/7 Security Operations Center (SOC) Operation
Device authentication
Cyber maneuver operations
Organization-wide standardized implementation of security protocols
Real-time assets tracking
One important thing to note about CMMC is that unlike NIST and other current certifications, CMMC will require certification from an authorized 3rd-party CMMC authorized certification company. Currently, most companies can self-certify for DoD-related securities. EstesGroup is not a CMMC Certification Company, but we can help companies prepare and boost security up to meet new requirements.
Do you have questions about CMMC or about how EstesGroup can help your company with CMMC or other cybersecurity, compliance or data issues? Contact usor chat with us today.
Microsoft IIS Log Sprawl: Getting Away from the Sprawl
On the Sixth Day of ECHO, my admin gave to me, some tips about Microsoft Internet Information Services (IIS) and log files!
Every Epicor E10 and Prophet 21 Middleware server usesMicrosoft Internet Information Services (IIS) to get the job done. And by default, IIS creates a log file on the C: drive for every day it’s running. Often we can see how long a server has been running by counting IIS log files. However, chances are great you don’t ever look at those log files! Therefore, we recommend disabling the IIS logs in IIS Manager to save the I/O and disk space. If you need the logs for auditing, we suggest putting them on another volume and marking them with NTFS compression for best performance. After that, a weekly script to delete the oldest files will keep things neat and trim. FORFILES /P C:\inetpub\logs /s /*.LOG /D – 30 “cmd /c del @FILE” is my go-to command.
ECHO is EstesCloud Managed Hosting. What does that mean and what does it have to do with Microsoft IIS Log Sprawl? What doesn’t have to do with cloud-based data strategy these days? EstesCloud brings you all the security and reliability of cutting edge technology, and you don’t have to maintain it or worry if it’s compliant or it’s going to crash. We take on the worries, so you can focus on your business. (This might even allow you a little free time to look at your Microsoft IIS Log Sprawl if you like.)
Do you have questions or need assistance with your Epicor system? Please feel free to contact us and see if we can help get your bits and bytes in order.
[pardot-form id=”856″ title=”Blog Forms Submission”]
Tips on SQL 64K Clusters and Epicor SQL Services Database Bytes
Microsoft SQL likes to do all its input/output in 64k chunks, but Windows likes to format hard drives in 4K chunks called “clusters”. Studies have shown that formatting the volumes that store SQL databases and transaction logs benefit from 64k clusters – up to 35% better performance! To check what your cluster size is, open an Elevated Command Prompt and type “CHKDSK D:” (where D: is where your databases are stored). The line with “xxx bytes in each allocation unit” should say 65536, and not 4096.
If you find your server admin formatted with the default 4096 allocation unit, then changing is easy – just kick everyone out of Epicor, shutdown the SQL services and backup the entire volume. Then, reformat with 64k clusters and do a volume restore. Restart SQL services (and your Epicor Task Agent) and let the users back in!
Daryl Sirota has served for 35+ years in IT, both as a sole proprietor and as a senior team at System Source, and now as VP of Managed Services at EstesGroup. He loves to travel and currently resides near EstesGroup headquarters in Loveland, Colorado.
On the First Day of ECHO, my System Admin gave to me, SQL Licensing!
You probably already know that Microsoft SQL Server is required for Epicor 10 and Prophet 21, but do you know if you are in Microsoft compliance? SQL licensing can be confusing, but in most cases, it can be broken down to either “by core” or “by user”. There is an exception for SQL Enterprise licensing on a hypervisor, but that’s a specialized case. Most smaller organizations use SQL Standard Edition, as opposed to the more expensive and capable Enterprise Edition. Likewise, most Epicor clients use the “By core” licensing model as opposed to the “by user” model.
In short, if you are running SQLIn the “per core” licensing model, each 2 coresthat are available to the SQL servermust havethe appropriate licenses – with a minimum 4 cores. If you have more than one SQL server, then you must have a minimum of 4 cores licensed PER server! Keep in mind that the SQL Engine and the SQL Reporting Services are both licensed software, and if they are split to different servers, they EACH must have appropriate licenses.
We’ve seen instances of clients who increase their SQL Server CPU core count to see if they get faster processing, but often end up violating their license agreement and creating expensive problems when Microsoft Auditors come knocking. Likewise, splitting the SQL Engine and the SSRS functions will increase your license count.
One small consolation prize – multiple instances of SQL on the same OS do not require additional licensing beyond the first instance. Therefore, you might find some benefit to running another SQL instance on the same server to split queries. (See our future blog 11th Day of ECHO: Separating OLTP and DS – detecting and avoiding deadlocks)
The downside is that all SQL licenses are on an honor system – the application does NOT keep track of licenses, so it’s your job to make sure you’re in compliance!
Do you need assistance managing your SQL licenses or database administration? Please feel free to Contact Us and see if we can help get your bits and bytes in order.
[pardot-form id=”856″ title=”Blog Forms Submission”]
Tolstoy famously remarked that “all happy families are alike; each unhappy family is unhappy in its own way.” Reflecting on Tolstoy’s own relations and on the kindred lives of the characters in his novels, I’ve often wondered if Enterprise Resource Planning (ERP) implementations are like families, and whether such categorical statements could be similarly applied to successful and unsuccessful families of projects. While every project has its own unique dynamics, I’m obliged to believe that roughly the inverse of Tolstoy’s statement is the case—that each happy ERP implementation isn’t alike, but rather is successful in its own way.
That is, I’ve seen successful ERP implementation projects that have differed from one another in surprisingly significant ways. As such, it might be best to review successful ERP projects individually and try to understand what it is among them that made them successful. Anyone can wax eloquent on the generic platitudes that lead to a successful implementation, but in practice, when the time comes to make tradeoffs between platitudes, it’s helpful to know how companies work through challenges and finally arrive at successful implementations.
One project that we recently completed fit such a mold. While not free of obstacles, the end-product was immensely successful. A number of key factors led to the ERP implementation’s success:
All of the team members were engaged and onboard. Getting the team to buy into the project’s mission, and actively support that mission, was never a problem.
The project team did a large amount of their own end-to-end testing. Unlike some projects, where the team only tests while the consultants are onsite, the team verified their system configuration and business processes whenever possible, leading to a rock-solid business process at cutover.
The team took ownership of issue resolution. The team dug in, tried things out, and came to solutions. This served to greatly shorten certain phases of the project.
The team made decisions quickly, collaboratively. The project was rarely, if ever, waiting on a key decision, and nobody on the team could have been accused of analysis paralysis.
The team took responsibility for their roles and did the work on time, and on schedule. Schedule attainment was a high priority, and the team put the necessary work in to make things happen.
The team displayed a culture of respect, staying respectful during difficult conversations and decisions. The stresses involved in an ERP project can at times encourage dysfunctional or toxic behaviors, but this team treated each other with a high degree of respect, even when working through the toughest decisions.
The team’s project management was of the highest capabilities, displaying excellent collaboration and communication with the core team, and with the EstesGroup team as well.
The net result was a successful ERP implementation project on-time and on-budget, with the expected level of system capabilities. The team experienced a clean and quiet cutover, and quickly stabilized. Within a short time, the company had moved onto managing daily operations and planning for the future.
Every project has its wayward sheep, be they executive sponsorship, excessive customization, inadequate team investment, or challenges with data conversion. No project ever checks all the happy boxes.
But in spite of challenges, the best companies still manage to successfully implement their enterprise systems, keeping their team engaged, committed, and dependable—regardless of all the unique twists in their project’s DNA.
Are you ready for your company to create its own exceptional implementation story?
Come talk to us, and we’ll share some of the greatest success stories of ERP history—prosperous implementations similar in success, yet nuanced in achievement—stories that can inspire your own project to be a story with a happy ending.
To Rent or To Buy – More and More Often, It’s To Rent.
In some ways distribution has not changed over the past 50 years; but in other ways it really has morphed – I know, that statement was non-committal. But take for example product Rental Management. Your customers still want your fantastic product whether that’s cars, industrial equipment, cylinders, furniture, etc. and there is a paper trail to track those rentals and bill appropriately. Unfortunately not many Enterprise Resource Planning (ERP) systems easily track rental products so distributors are forced to look for standalone products and old fashioned paper trails – either way, creating a lot of work arounds or duplication efforts for a company. Epicor recently released a new application for distributors, and I for one, am extremely excited about it.
The new Epicor Rentals Management (ERM) solution makes tracking rentals within the Epicor Prophet 21 ERP (P21) simpler and more efficient. ERM handles the actual rental transaction while the P21 application holds all other data like customers, items, accounting, inventory, etc.
P21 Rental Management Tracking
Some of the primary benefits of Epicor P21 Rental Management (ERM) are:
Efficient Rental Transaction Processing
Manages Scheduling and Assignment Processes
Flexibility in Pricing Rental Designs
Flexibility in Product rentals for day, week, month, mileage, hours used, etc.
Simplified contract maintenance
Automatic Rental Billing
Rental Availability
What is really nice about the ERM module is that when your customer service or sales team goes to enter in a new rental order, the process is just like any other order in P21 – using the Order Entry Window. With everything setup, the sales associate just enters in the a rental item and P21 switches the order to a Rental Order vs standard Sales Order. Switching to a Rental Order will cause the ERM module to open up and finish the rental processing; with information like state, dates, duration, even serial and lot tracking information.
A few of my favorites I’ve seen so far are:
Simplified Contract Maintenance
Contracts. Need I say much more before the room starts to groan? Usually contracts are done on paper – sometimes with carbon copies – though often times it’s a matter or printing, signing, and scanning. Thankfully ERM has helped simplify that painful (and let’s face it) rather wasteful process. Within ERM the sales agent can input the data, customer can review the contract and sign for it – making the entire process much simpler. This allows the final contract to be stored electronically with ease, or print or email once finished.
Automatic Rental Billing
The Finance department is going to love this feature. No more grabbing that monthly billing folder / file cabinet / or excel list with customer names and billing frequencies. ERM has automated rental billing which allows finance to set billing intervals and then generate the invoices according to your business schedule.
Tracking
Every one loves tracking – dashboards, look up, quick reference, you name it. Having the ability to quickly find the data you need when the customer needs it. The ERM module makes it easy to see rentals by customer, rental product type, etc.
Let’s face it, at the end of the day, being a rental business is hard work. Unlike most manufacturers and non-rental distributors – who have little need to track their products once the item has shipped – you need to know who, where, how long, at what price, etc. and then rinse-and-repeat for the next customer. Epicor’s Prophet 21 Rental Management solution solves a large functionality gap for distributors.
To end this on a light note; I recently heard a funny rental joke:
Why was the mole’s rental fee so costly?
Because he burrowed and never returned
Questions or feedback on this article? Wanting more information on Prophet 21 ERP or P21 Rental Management? Let us know.
