CMTC's Shifting Gears

We succeed because you do.

Season 10 Episode 2 - Managing the Cybersecurity Practices of IT Providers

Posted by Rachel Miller

Episode Show Notes

Episode 2 features Dr. Ron McFarland, Sr. Consultant of Cyber Physical Security Services at CMTC. Ron discusses what a third-party IT provider is, the services they typically provide, and why they tend to be prime targets for cyber attacks. Ron goes on to explain the ways SMMs can make sure they’re hiring the right provider, red flags to look out for, and tips to ensure their IT provider is following best practices.

Dr. Ron McFarland is Sr. Consultant of Cyber Physical Security Services at CMTC. Dr. McFarland has over 30 years of experience as a systems analyst and cyber security consultant. He was the Cyber Security Program Manager working to support a regional cyber security educational initiative for the South Central Coast Regional Consortium in California. He holds multiple security certifications, including the prestigious Certified Information Systems Security Professional certification and several CISCO certifications.


00:00:02 - Introductions

00:01:18 - Definition of third-party provider and typical services

00:08:45 - Why a third-party IT provider or an MSP might be a prime target for a cyberattack

00:12:06 - How to vet an IT service provider

00:14:02 - Importance of detailed service-level agreement

00:16:11 - Pros and cons of having a third-party IT provider

00:21:04 - Role of third-party IT provider in preventing a cyberattack on SMM they serve

00:29:35 - How a third-party IT provider could help SMM in the event of a cyberattack

00:35:48 - Benefit of testing

00:39:05 - Definition of flow down clause and how it affects both parties

00:44:59 - How to ensure SMM is using the right third-party IT provider

00:53:47 - Red flags to watch for when choosing a provider

01:00:57 - Definition of shared responsibility model

01:06:40 - How an SMM can make sure their third-party IT provider is following best practices

Skip the transcript and grab the downloadable copy of the Q&A with Dr. Ron McFarland


Gregg Profozich [00:00:02] In the world of manufacturing, change is the only constant. How are small and medium-sized manufacturers (SMMs) to keep up with new technologies, regulations, and other important shifts, let alone leverage them to become leaders in their industries. Shifting Gears, a podcast from CMTC, highlights leaders in the modern world of manufacturing, from SMM to consultants to industry experts. Each quarter we go deep into topics pertinent to both operating a manufacturing firm and the industry as a whole. Join us to hear about manufacturing sector's latest trends, groundbreaking technologies, and expert insights to help SMMs in California set themselves apart in this exciting modern world of innovation and change. I'm Gregg Profozich, Director of Advanced Manufacturing Technologies at CMTC, and I'd like to welcome you. In this episode, I’m joined by Dr. Ron McFarland, Senior Consultant of Cyber Physical Security Services at CMTC. Ron discusses what a third-party IT provider is, the services they typically provide, and why they tend to be prime targets for cyberattacks. Ron goes on to explain the ways SMMs can make sure they’re hiring the right provider, red flags to look out for, and tips to ensure the IT provider is following best practices. Welcome, Ron. It’s great to have you here today.

Dr. Ron McFarland [00:01:16] Well, it’s great to be here.

Gregg Profozich [00:01:18] Ron, I’m excited about our conversation today and looking forward to hearing your perspectives and your insights. Let’s get started. We’re here to talk about cybersecurity risks, but in particular, cyber risks that come from third-party IT providers. Indirect attacks, successful breaches coming into companies through third parties, increased to 61% from 44% in the last several years, according to the World Economic Forum’s Global Cybersecurity Outlook 2022. I’m no expert, but that seems to me like a significant number and a significant increase. If I were an SMM who uses a third-party provider, I’d probably be concerned. To set context for our discussion and for our listeners, can you define what a third-party IT provider is and what services they typically provide?

Dr. Ron McFarland [00:02:00] Well, sure. Let me give you a little bit of background first. About three years ago, CMTC did an extensive bit of research on some of our small to medium manufacturers who use IT service providers. Now, with the SMMs’ agreement, we reviewed over 80—I think, actually, it was 83 SMMs—and narrowed down our focus to 10 of our SMMs that use IT service providers. We wanted to know how SMMs generally engage with a third-party IT provider in order to highlight the concerns and the opportunities when engaging with an IT service provider. Now, to address your question: a third-party IT provider, also known as an IT services provider, or sometimes called a managed service provider (or an MSP), they’re an independent company that offers specialized IT services to other businesses, like small to medium-sized manufacturers that we serve. These services typically span a variety of technology solutions, which are tailored to meet the needs of the SMM they serve. Now, I have a whole list of variations of what an SMM does provide. Those include things like proactive IT management. Now, this pertains to the remote administration of a company’s IT framework and the end user system. Rather than having an in-house IT department, the SMM can hire either an IT provider or an MSP to handle those day-to-day administrative tasks. Also, sometimes cloud system solutions, an IT service provider can support that. However, I just want to note that there are some issues with using cloud service providers that we’ll talk about probably a little bit later. Another area that IT providers and MSPs offer is cybersecurity. That includes performing cybersecurity evaluations, overseeing threat detection, carrying out vulnerability assessments, and responding to security incidents to protect the company’s digital assets. Next aspect is data safeguarding and retrieval. This type of service ensures that the critical business data is backed up consistently and can be retrieved promptly in the event of a data loss. Also, IT service provider can support the network configuration and oversight. This relates to the design, the execution, and the management overall of the company’s network to guarantee not only reliability but connectivity, performance, and cybersecurity management. Another aspect is the tailored software development and synchronization. IT service providers and MSPs can create custom software to fulfill unique business requirements. I would say another aspect is hardware and software maintenance. This type of service deals with the diagnosing and preserving a company’s hardware and software to ensure peak performance, make sure that patches are updated. The hardware is also addressed in terms of security, as well. Usually, an IT and MSP also supports advisory and strategic planning on numerous third-party IT providers. For example, can support that strategic guidance to an SMM if that’s dialed in. They can help support technology-related decisions.

Gregg Profozich [00:06:10] Ron, it sounds like there are an awful lot of things that they can do. I keep hearing you say the word can. Does every MSP or every third-party IT service provider do all of those things?

Dr. Ron McFarland [00:06:21] No. Therein lies the issue. One IT service provider or MSP could offer all or most of the services, whereas another on the opposite end of the spectrum could only offer, let’s say, support for the hardware and software. We have a variety of IT providers out there. Some are very sophisticated, while others are a little on the nascent side if you will.

Gregg Profozich [00:06:51] I hear you saying that there’s niche providers, and then there’s full-service providers. I’d imagine if I’m a full-service provider, I would probably offer menu pricing. An SMM could also be saying, “Out of your 12 services or your 8 services, I want these three.” Is that true?

Dr. Ron McFarland [00:07:08] Not always. I think the key aspect is that the SMM oftentimes will rely fully and wholly on an IT service provider or an MSP. However, what really needs to be done is a service level agreement between the SMM and the IT service provider, which often isn’t done. That whole menu of what the SMM needs isn’t typically fully addressed. What we found in our research by most IT service providers. What we found out of interviewingWe did a small subset of 10, as I mentioned, but we also talked to 83 of our SMMs. We found, for the most part, the IT service providers did not fully support all the needs that the SMM required.

Gregg Profozich [00:08:03] Their offering wasn’t that exhaustive list you just gave us. There was something less than that. Is that what you’re saying?

Dr. Ron McFarland [00:08:09] That’s true. Mostly in terms of the cybersecurity and security for cloud was most of the weaknesses, if you will. A lot of the IT service providers, as an example, would offer what’s typically called a flat network architecture. Also, their cloud services weren’t up to snuff in terms of cybersecurity. We worked with a lot of That’s what we primarily do is work with our SMMs to tighten up any of those gaps in cybersecurity.

Gregg Profozich [00:08:45] There’s a lot of different providers out there, it sounds like. They could offer any number of those different services you mentioned. Why would a third-party IT provider or an MSP be the prime target for a cyberattack?

Dr. Ron McFarland [00:09:00] Well, think of it this way. First off, they have access to multiple organizations. An IT service provider could … I’ve seen them range up to where they’re offering services to 200 to 300 clients. But mostly in our space, when working with SMMs, we find our IT service providers were working with anywhere from 10 to 40 or 50 other clients. Think in terms of if you are an attacker, the sweet spot would be to get into one IT service provider and perhaps have access to those records that that IT service provider is managing for that owns 30 or 40 SMMs. That makes it a real sweet spot for the attacker.

Gregg Profozich [00:09:50] If I go hack an individual company, I spend time, and I get one company’s worth of data if I’m successful. If I attack the IT provider, I can get multiple companies’ worth of data potentially. I have access to it, and their systems, and any IT that they may have. I think that’s what you’re saying.

Dr. Ron McFarland [00:10:05] Absolutely. I think we’re seeing a lot of that occurring, not only with MSP and IT service providers. If you look at all the supply chain attacks that have been happening as of late, a lot of the targets are the IT service providers and MSPs. It’s because of the shared infrastructure that is occurring within an IT service provider.

Gregg Profozich [00:10:29] Any other aspects of that, why it would be good if I’m a hacker, why I would want to target them?

Dr. Ron McFarland [00:10:35] Well, let’s say if you’re an IT service provider, you do have a shared infrastructure. Let’s say you’re using something like a Software as a Service cloud, and then you’re doling that same service out to 30 of your clients. Perhaps the security practices aren’t as tight around that cloud solution that you’re offering. Perhaps also, you’re integrating with your clients’ networks, and that may not be buttoned up as well as it should be. Also, within the IT service provider, I do want to know that third-party IT providers have employees who have access to sensitive client information, and they, too, can cause what’s often termed as an insider threat. Now, these employees could compromise, whether through accident or intention, through social engineering, perhaps some sort of bribery or coercion. That could cause significant damage. Not only is the IT service provider, MSP, infrastructure at risk, but also the employees that work for the IT service provider may do something a little kludgy that could lead to an exfiltration of data or some sort of hack.

Gregg Profozich [00:12:06] It sounds like there could be a lot of risks with having the “wrong provider,” one who doesn’t have the right kind of robust security practices in place. If I’m a small or midsize manufacturer, IT and cybersecurity is not my core competency. I’m a plastic injection molder, or I’m a metal bender, or I’m a CNC shop, or I’m food production. That’s my core competency. But I need to have a way of vetting my IT provider to make sure that they have all these things in place.

Dr. Ron McFarland [00:12:34] Oh, absolutely. What happens is generally … I get that a small manufacturer just wants to focus on their core competency. I get that. The tendency, though, is to pitch those items that you need done in terms of cybersecurity over the wall and then do that full trust to an IT provider or SMM, because perhaps they have a good reference from the person across the street or a nice business park. Once an SMM decides to focus on the cybersecurity needs, they need to work on the service level agreements—not only what they need but what the provider can provide—and look at those gaps in services of the IT provider that they’re choosing. The best process for an SMM to select an IT provider is to first determine all of their needs in terms of IT management as well as cybersecurity management. List those out, and then create a matrix in order to design a service level agreement, perhaps, with an IT service provider. Perhaps you even use that as a scoring so they can review their existing IT service provider or perhaps even hire a new IT service provider.

Gregg Profozich [00:14:02] The service level agreement would specify things like in the event that the server is down, we will have a tech on-site or a tech working on the problem within X time and be back up within X time. Is that the kind of thing a service-level agreement does?

Dr. Ron McFarland [00:14:17] Yeah, that’s one of the aspects. Another critical aspect, since we deal with a lot of SMMs who work with the Department of Defense in terms of their contracts, is the incident reporting. When you get to an incident, let’s say an incident happens at an IT provider. A worthy IT provider recognizes that something happened on the network that involves the SMM. SMM stayed up. It really gets down to how does that get reported. Does the IT provider report it? Does the SMM report it? It really should be the SMM. But that really dials out to that service level agreement. We’ve had incidents where, let’s say, some data was exfiltrated by an MSP. Something happened, an incident occurred, and they waited a bit too long to let the SMM know that some of their data was breached. In fact, when you’re working on a DOD contract, the SMM is required to report to the DIBNET, the defense industrial base network, within 72 hours of incident occurring. If the MSP or IT service provider sits on their hands about it, it could be a huge contractual risk for the SMM but also a significant risk for the DIBNET, as well.

Gregg Profozich [00:15:53] Having those service level agreements and understanding what contractual terms that an SMM may have with different governments, or different agencies, or different customers. Making sure those terms are reflected in service level agreement sounds like something’s going to be very important.

Dr. Ron McFarland [00:16:09] Yes, absolutely.

Gregg Profozich [00:16:11] We’re not here to bash IT service providers, obviously. Let’s step back for just a minute and talk about the pros and cons. What are the pros and cons of hiring an IT service provider? Like I said before, not my core competency. I’d assume that I get a higher level of expertise, and I only have it part-time. What are some of the other benefits?

Dr. Ron McFarland [00:16:29] Well, I do sound a little bit negative going into this. But I do want to let you know that there are a lot of very competent IT service providers out there. A lot of them bring to the table a great amount of expertise. They have a lot of knowledgeable professionals who keep up with the latest trends, the security measures, all the technical issues. Oftentimes also, another item is cost efficiency. Rather than hiring a full-time in-house IT team, let’s say if you’re an SMM with 25 employees, you’re not going to go out and hire two or three IT people, because that’d be quite expensive. Cost-wise, it may be more efficient to hire an outside IT service provider. Now, scalability—as the business grows, as let’s say … I’ve worked with a company that actually during the pandemic, their business grew from about 20 employees to 35, which is a significant piece of growth. They do have a robust IT provider. Rather than scaling up on their own, the IT service provider could manage that scale, and they were able to work with the company to do that, 24/7 support. Now, if you’re an SMM, you could have 8:00 to 5:00 working hours or maybe two shifts, but you might not have that 24/7, 365 support that an IT service provider has. Also, like you mentioned before, it’s not their core competency. When you hire an IT service provider, you’re hiring that core competency. You’re outsourcing that core competency that that IT provider can give you as an SMM.

Gregg Profozich [00:18:22] Those are all the good things.

Dr. Ron McFarland [00:18:25] Yeah. I’ll list a few cons if you will. The lack of control. For example, when you’re outsourcing, you’re placing trust in the hands of an external entity. That’s why I’m saying that service level agreement really needs to be buttoned up so you know, as the SMM, who does what when something occurs. That’s really dialed in. There is also potential for lower prioritization. What I mean is the provider has multiple clients—I mentioned 20, 30 for some—your business might not be their top priority. This could potentially lead to a slower response time or less personalized service. Again, this dials back to that service-level agreement. Security risk. We talked about some of the security risks. When you’re sharing sensitive data, if you’re having an external company manage that external data, you want to make sure that it’s buttoned up so if there is an incident that has occurred at that IT provider who manages 30 SMMs, for example, that your data has been securely buttoned up, at least. Communication. I would say that’s probably one of the more significant problems that I’ve seen between IT service providers and SMMs. There needs to be that constant and persistent communication between the IT service provider and the SMM. That relates to the dependency. There’s also one other thing that I can think of is lock-in. A lot of times … This has happened with a couple of our clients when they decided to switch from one IT service provider to another. I’ve seen this firsthand, unfortunately, with our SMMs, when they’ve switched. What lock-in is, the IT service provider may be using very specialized hardware, software, what have you to do that management. If you’re switching from that service provider to another, the other service provider may not have that matching software. That would be part of the contractual agreement, that service level agreement, as well. To disallow that vendor lock-in, if you will, with an IT service provider. I would say that is an overview of the cons of hiring an IT service provider.

Gregg Profozich [00:21:04] We’ve talked about a lot so far. We’ve covered what IT service providers are, what MSPs are, the range of services that they can offer. We talked a little bit about the importance and service level agreements. We’ve talked a little bit about why they’re a prime target for bad actors. Let’s get a little more focused on the cyber aspects of this. What should the role of a third-party IT provider be in preventing a cyberattack for an SMM they serve?

Dr. Ron McFarland [00:21:29] That’s a good question. Well, a third-party IT provider does play a pretty critical role in preventing cyberattacks for the SMM. The role can be … Actually, I look at it as dividing it into a couple of key areas. First off, evaluating the risk. The service provider is expected to examine the SMM’s system to pinpoint potential weak points. This could encompass an analysis of the software they use, the hardware, the SMM’s networks, along with a review of habits and protocols followed by the company’s personnel. Now, I’m talking policy, procedures. There could be that linkage that the SMM has with the IT service provider. The IT service provider can provide that evaluation. Another area is that the IT service provider can help with building the security infrastructure. This can involve the inception, the execution, the sustainment of security measures—things like firewalls, intrusion detection systems, encryption methods, secured communication channels. Those are some concepts that come to mind. The service provider might also be in charge of designing and managing secure backup systems. That’s very much needed not only in terms of cybersecurity but also restoring systems if an event does happen. Another item that an IT provider can help with is training. Service provider can be tasked with training staff in terms of principles of data security. We call that cyber hygiene. Another one is—and we support this, as well—the compliance and policy oversight of the service provider is required to comply with DFARS. Now, I want to make a special note on DFARS requirements. DFARS is part of the federal acquisition regulation system for defense, if you will. What I’m dialing into is, again, our SMMs that we work with. Most of them are DOD contractors. They work with special data, let’s say sensitive data, called controlled unclassified information, CUI. This sensitive data sometimes is managed by the IT service provider. The IT service provider is also required to follow those regulations, since they’re handling that data. That gets into one other item I do want to mention. Well, there’s actually a couple. When you’re hiring an IT service provider, you want to make sure that you have, again, that SLA dialed in to who manages and responds to a cybersecurity incident. Should a cybersecurity attack occur, the external IT provider must have a predetermined incident response plan that connects the SMM to that incident, as well. Further, the IT provider must notify the SMM to address any what’s called DIBNET reporting requirements. I mentioned 72 hours. I’ve got a list of a couple other items that come to mind. The IT service provider is in charge of the supervision and the upgrade management for the SMM’s infrastructure. We see software upgrades always being applied. The IT provider would be responsible for applying that patch management as well as upgrading any firewall hardware in the infrastructure. The IT service provider must also supervise their third-party vendors. Now, think of it this way. When you hire an IT service provider, they may not have 300 people on staff with gobs of hardware; they may be outsourcing items on their behalf, as well. When an SMM hires an IT service provider, that IT service provider may dole out some additional services threaded within their offerings. If the SMM has CUI, there’s a cascading effect—CUI is that sensitive government data—that the IT service provider’s managing, you have to make sure as an SMM, you have to know where your data is going. Where is the IT service provider doling out that data? You have to do that deep thread cutting. What’s important is planning for business continuity. We’ve had SMMs who’ve contacted us to support their cybersecurity after they’ve been locked up with ransomware, let’s say, for example. We’ve looked at their business continuity planning to support them with that. An IT service provider really needs to be dialed in in terms of backups and restore process if somebody gets locked up. We all know that ransomware is one of the big things now. If an SMM gets locked up with ransomware, how does that IT service provider get them up and running in terms of business continuity? That’s a key factor. In short, a third party… Then there’s probably many other aspects that I missed. A third-party IT provider should be pretty proactive in terms of working with the SMM against cyber threats. They’ll need to be vigilant, pretty flexible, and constantly updating their knowledge and their tools to keep pace with evolving cybersecurity threats and defense strategies that the SMM is compelled to be tightened up with in terms of their contract, as well. There’s that articulation that I’m really emphasizing between the SMM and the IT provider, especially if it’s around the DOD, defense-sensitive information.

Gregg Profozich [00:28:08] There’s a long list, it sounds. I’ve been taking some notes here. I heard you say in terms of the role for an IT provider on preventing cyberattacks, it’s everything from evaluating risks, what are the weak points within the SMM’s systems, building the security infrastructure to make sure you’ve got the right things in place like firewalls and things; doing the training of both their internal people at the provider as well as the client people; making sure they have compliance and policy oversight in place; responding and reporting incidents; making sure that the service level agreements are in place to make sure that SMM’s contractual requirements with any government agencies are going to be fulfilled through that process; supervision of upgrades, making sure that the latest patches are loaded that are closing any of the identified weaknesses in given software, hardware systems; supervising third-party vendors; and then having a business continuity plan. There’s a lot of work in all of that, it sounds like.

Dr. Ron McFarland [00:29:05] Oh, you bet. I probably have not covered everything, but you can see the depth and breadth of the situation that the SMM is facing in that term.

Gregg Profozich [00:29:19] If I’m an SMM, I should be looking for at least that list, is what I hear you saying.

Dr. Ron McFarland [00:29:25] At least that list, yes.

Gregg Profozich [00:29:27] Awesome. Ron, you mentioned CUI a minute ago, and I want to make sure that people have it.

Dr. Ron McFarland [00:29:31] CUI, controlled unclassified information.

Gregg Profozich [00:29:35] Perfect. If an SMM is a victim of a cyberattack, how would a third-party IT provider help them?

Dr. Ron McFarland [00:29:42] That’s a great question. An SMM can benefit from the assistance of a third-party IT provider in several ways after suffering from a cyberattack. The steps taken can vary depending on the nature of the attack, of the SMM’s existing system, and recovery plans. Again, I’m referring back to the service level agreement that the SMM has with the IT provider. Some potential steps include things like the incident response. The first step would be to quickly understand what happened. I’ve talked about the CUI, the controlled unclassified information that the SMM receives from the DOD. The IT provider may be supporting that. The first step is to understand what happened. If the incident involved CUI, then you’ve got that 72-hour window that the SMM is on the hook for. The IT provider really needs to jump in promptly—that’s, again, the SLA—in order to identify the nature and the extent of this attack. This could include determining what systems were compromised, what information was accessed or perhaps lost or locked up, and how the attacker gained access to the system. Now, that’s the initial concept. The other one is containment. You don’t want the … If an incident is occurring, you don’t want that, as an IT provider or the SMM, to be propagating throughout your network. After assessing the situation, the IT provider would need to take immediate action to prevent further damage, perhaps further exfiltration of the data. This could involve taking the affected systems offline, removing malware or other malicious code, and closing any security gaps that were used in the attack. Also, recovery. This is business continuity if you will. The IT service provider would then help the SMM recover after the attack. That would be part of the SLA. You want to make sure that your backups are in place, that they were tested. If something happened to your system as an SMM, you want them restored within a certain period of time so you don’t lose production time. This might involve restoring systems and data from backups, hopefully, if they’re available, rebuilding systems from scratch. If the customer or employee data was lost, the provider might also assist with steps to mitigate the impact, let’s say, such as credit monitoring services where it affected individuals. We do have some SMMs that not only work with DOD but also do consumer front-end type of compliance, and they take credit cards, as well. One of the other items is forensics and reporting. In some cases, it’s important to conduct more detailed forensic investigation. Matter of fact, in terms of the Department of Defense, it’s required to retain audit logs for a certain period of time. Let’s say if you’re an SMM, the FBI could come by and visit you and say, “Hey, we need your audit logs from that incident you reported three months ago. We’re following a cybercrime group because they attacked 15 other DOD suppliers.” That’s certainly an important aspect of that forensics and reporting. The IT provider could also help with any required reporting for the breach. For example, they could have firewall logs that may be part and parcel of the investigation that is needed later on. Finally, the IT provider can help with the prevention and education of the SMM in terms of mitigating any future incidents that might occur, just based on the lack of knowledge that the SMM doesn’t have because that’s not their whole bailiwick; it’s the IT provider’s. I would say that it’s important to note that it has to be a very proactive approach to cybersecurity, including regularly scheduled audits between the SMM and the IT service provider, just to make sure that everything is in lockstep with the service level agreement. Employee training on both the SMM and IT provider side has to be persistently and consistently done. The creation and monitoring of an active incident response plan. Everyone should know about that incident response plan and who needs to be called up at one particular time to determine that incident. That would also help prevent attacks or at least lessen the possibility of those attacks occurring.

Gregg Profozich [00:34:53] A number of things in my notes as I’m listening. If you’re the victim of a cyberattack, you would want your third-party IT provider to be prepared to do all of the following: incident response, understanding what happened, containment to make sure that if it’s still in progress that it’s not propagating through a larger system or a larger network, or even worse, outside of your network into customers, or suppliers, or those kinds of things; recovery, stopping it, containing it, but then getting back up and running. If it takes two weeks to get up and running, your business is doing nothing for two weeks. That’s not good, either. There’s a recovery aspect of it. For instance, it’s forensics and reporting, having data available for any agencies or entities that would need that data as part of an investigation. Prevention and education piece to make sure that everybody understands what happened and how to make sure it doesn’t happen again. Is that the synopsis of them all?

Dr. Ron McFarland [00:35:45] Yeah, I would say that’s a synopsis.

Gregg Profozich [00:35:48] If these are the right things to happen after, is there a practice in your drilling of it that should be done? Should you simulate it to make sure that the plan works, water test it, type of thing?

Dr. Ron McFarland [00:35:58] Absolutely. The incident response plan, what the SMM should consider doing is walk through their own incident response plan—build that out—and then afterwards, engage with the IT service provider and have them work on their own incident response plan. Articulate those two pieces together. I’ll tell you why that incident response plan is really … You had mentioned, of course, testing it out. One of the key aspects is, if you’re an SMM, you’re thinking like I would if I owned a small manufacturing organization. I would think about my data, my employees, my production, that whole nine yards. I would be very concerned about my data and make sure that doesn’t get exfiltrated or locked up. But also, the SMM needs to put on another hat. What if your data is being managed by that SMM and they’re locked up? Nothing’s gone wrong on your side of the fence, but all of a sudden, the IT service provider, all of your data’s locked up on their side of the fence, and the data from all 30 SMMs that they’re working with are also locked up. That incident response plan needs to be articulated on both sides of the fence, from your side of the fence as an SMM and their side. Then you want to see, as an SMM, I can run through steps 1 through 15. Now, on the articulated side of the IT service provider, maybe they have 20 steps to do. How do those fit together? Once you have that dialed in as an SMM, the IT service provider should be able to respond pretty quickly. But as you mentioned, you definitely want to have some test cases where you run through some scenarios. You can take ransomware. What happens if I have …? You’ll run through a scenario where all of a sudden, your systems are locked up because of ransomware. You’ll work together with the IT provider and say, “Okay, we’re going to run this test case through. How does this work? How does the forensics work? How does the analysis? Who’s going to respond to the DIBNET? How is all the forensics capturing going to happen? What happens with that scenario?” If there are any gaps with that testing, you want to make sure that those are patched up before an incident occurs because chances are—I hate to say it—there will be an incident if you’re running an organization now. Whether it’s minor or … Hopefully not, but whether it’s major or minor, you might run into an incident probably within the next year, year and a half. That’s really based on some stats that are out in the public, if you will. You do want to make sure that incident response plan is not only articulated with your IT service provider but well-tested and refined.

Gregg Profozich [00:39:05] I hear you saying that there’s definitely two sides to this coin, also. By using a third-party provider, two kinds of scenarios can happen. One is I get hacked as a small or midsize manufacturer. The other is my IT service provider gets hacked. If I’m hacked, and they’re working on it, then I’m assuming more likely that many or all of their resources are solving the problem for me. If they get hacked, they’ve got 20, 30, 50, 100 clients to manage on top of trying to manage the problem. It’d be totally different turnaround times, if you will, just from manpower and resources. Is that an accurate way of thinking about it, or am I just …?

Dr. Ron McFarland [00:39:42] That is spot on. The DOD has what’s called a flow-down clause. If I’m an SMM and I take CUI, that controlled unclassified information, that specific subset of data to support a project that I’m working on … Let’s say I’m working on F-16 parts. Those are very sensitive parts. The specifications are all called CUI. I put that on, I pitch it over to an IT service provider who’s managing that data. Herein is another caveat. That IT service provider could say, “Well, I can give you all these services,” but behind the scenes, they might even be using another IT service provider. It’s a cascading effect. Your data, who you’re giving it to … It could be all of a sudden, you’re saying, “Well, I’m using a California IT service provider.” Next thing you know, their storage is in Indiana, and some other processing is in Canada. Hopefully, not in something like Singapore or… but the impact is that cascading effect because, as an IT service provider, it’s a little more difficult to stand up a 100% full service in one location. You don’t really want to do that because then you’re at other risks. Let’s say—getting back to the SMM receiving the CUI data—there’s that flow-down clause. SMM is required to button up that CUI, make sure no one can take it, make sure it’s encrypted and stored safely. If they pitch it over the wall to an IT service provider who might be using other IT service providers, you, as an SMM, are required to ensure that IT service provider you’re using is also in concert and is using those same restrictions that you are obligated to by contract. That’s that flow-down clause. You’re receiving that special data; you’re pitching it over the fence to the IT service provider. Along with you pitching it over the fence to the IT service provider, you have to ensure that that service level agreement with the IT service provider carries that specific protection for CUI that you, as an SMM, are responsible for. You get to pass that over. With a contractual agreement, the IT service provider will say, “Yep, I’ll make sure it’s all passed on.” They have to also flow down to their IT service providers that they may use.

Gregg Profozich [00:42:47] I’m a SMM. I hire MSP Incorporated as my third-party provider. MSP has a relationship with a cloud storage provider in Indiana. They also have one at a network maintenance and provider in Georgia and three others across the country. They have to pass the same service level requirements and reporting requirements of everything down because of flow down to all of those. Is it the parent/child, parent/child, parent/child over and over again until everybody is covered? Is that correct?

Dr. Ron McFarland [00:43:17] That’s exactly correct. There’s another caveat. In part of that passing down, that flow down, to all the service providers that may be connected, part of that is to ensure that anyone that’s in that food chain, that supply chain of service providers, if they’re using cloud services, that they use what’s called FedRAMP Moderate cloud services, which is a specific type of cloud service. You and I can go out and get cloud services. Just pay $30 a month, and get some cool tools and backup, maybe on a T-shirt business. That’s not sufficient enough. That FedRAMP Moderate is a federally tested third-party’s cloud service, where it ensures that that cloud service is buttoned up and it can’t be easily hacked. As I’m passing my data down, part of that data flow down from IT service provider to subsequent IT service providers is to ensure that anyone using cloud service in that food chain is also using FedRAMP Moderate in their cloud service provisions.

Gregg Profozich [00:44:40] There can be some detailed requirements and qualifications that have to be passed down. It’s important to really understand everything that’s in those contracts that are subject to DFARS. Again, DFARS is Defense Federal Acquisition Regulation Supplement. Is that correct?

Dr. Ron McFarland [00:44:57] That’s correct.

Gregg Profozich [00:44:59] Many SMMs don’t have the internal resources to handle their own cyber IT. Not a core competency, etc. What are some of the ways they can make sure they’re hiring the right provider if they don’t have one yet or that the one they have is the right one? What are some of those things you would look for?

Dr. Ron McFarland [00:45:16] Well, that’s the crux where I started, where we talked to 83 of our SMMs, and we narrowed it down to a focus for 10. We came up with a list. I want to highlight a couple of items on that list. For the SMM, you really want to, first off, understand your particular needs. You want to define what you need before you start looking. Or if you want to examine your current service provider, you need to understand the scope, the scale, and the specific requirements of your IT needs. Now, I’ll just mention this. Sometimes, you may need a third-party consultant, for example, to help you with that understanding because it’s not your bailiwick. For example, in terms of understanding your needs, what problems are you trying to solve? Certainly, the security of that sensitive data. Are you looking for specific expertise in the cybersecurity realm? We’ve had some of our clients, for example, have a little bit of an IT department, but they may not have had that cybersecurity expertise. Or are you looking for that whole bailiwick from an IT service provider? For the DOD in particular, if you’re a DOD SMM, you’ll need to make sure that the NIST SP 800-171 R2 … Now, that’s a whole list of cybersecurity compliance. That is 110 controls that supports the DFARS. Let me talk one second about that. If you’re accepting CUI from the DOD, you are required to comply with the DFARS regulations, which are embodied by the NIST SP 800-171. What DFARS did is they pitched over the regulations to NIST, the National Institute of Standards and Technology, to write all the necessary documentation that then applies to the DFARS. That’s another food chain if you will. You want to understand your needs. What do you need in terms of IT support? What do you need in terms of cybersecurity? If you’re accepting DOD data, then you’ll have to comply with the NIST 800-171 and, in future, CMMC. Secondly, you want to look at the experience and the expertise of the provider. Does the provider have substantial experience in the field? I mentioned this because we’ve had some IT providers that are more focused, let’s say, on—little tongue in cheek—the bagel shop, and setting up cash registers, and putting in a back-end office. All of that’s fine and well, but if you’re looking at securing data, that may not be the provider you want to go for. You want to look at the experience and their expertise. Also, third item, you want to look at the range of services. Now, we talked earlier on that. There’s a whole list of items that an IT service provider can offer you. Some offer 2 or 3; some offer 20. You want to look at the range of services that a service provider can offer you as an SMM. The fourth item on my list is security. You want to check how the provider handles security. Ask about their security policies, their measures, their certifications, and how they deal with threats, some general questions about threats and security. Even you can dial in more specific requests about how they handle private data, PII, how they handle sensitive data, perhaps like CUI, and what’s their background in handling CUI data. A fifth item I’d like to focus on—I keep mentioning this. Apologies—is the service level agreement. You can ask the provider about their service level agreement. They may have some generalized templates that they use, and they can then customize that along with you. Also, you want to talk to them about their customer support. Is it 24/7, 365? Again, you’ll have to ask about the cost factor, as well. The scalability in terms of can they grow when you grow. We’ve seen some service providers that have two or three employees. When an SMM starts growing rapidly, as sometimes they do, the service provider might say, “Well, you’re outstripping what we can do. Not based on our cost matrix. We might either have to re-cost things, or we just can’t support you.” Scalability is pretty darn important. One of the things I’d look for, just like a job interview, I would look for any references that they have, any reviews. It’s not only just … We’ve had a couple of SMMs who hired an IT service provider just based on word-of-mouth, somebody they knew in the industry that’s maybe across the street. Look at their references. Look at their reviews. Also, pricing. That’s an important item for SMMs, certainly. We want to be not only cybersecurity aware as well as cybersecurity risk-averse, but we want to look at the pricing, as well. Last, I want to emphasize the compliance and the certification. The IT service provider should be compliant with the necessary regulations—certainly, the NIST 800-171, the DFARS standards—but you might also … If you’re working as an SMM with consumer information, as well, you want to make sure that they’re CCPA—that’s the California Consumer Privacy Act—that they can support that. If they’re working with credit cards, it could be PCI DSS, which is another set of standards. That’s where you have to look at your environment and match up what you’re doing as an SMM, not only supporting the DOD but you could have consumer stuff. How does that match with your cybersecurity, your IT service provider, and do they have the certifications? Do they have the bandwidth to support you? Keeping these factors in mind, SMMs can hire the right provider that suits their unique needs. It takes a little bit of time and effort. I know we’ve been talking about a lot of effort, but I really think that this initial effort may take several weeks, even if it’s a couple of months. But if you have that dialed, you know as an SMM that your IT provider can really support you and support you quite well.

Gregg Profozich [00:52:30] That’s quite an impressive list. From my notes, I’m going to try to just recap them really quickly. It sounds like whether I’m looking at a new provider or I want to do a scorecard on my current one, this list would be pretty useful. Number one, start with your own needs. Understand what it is you need in terms of IT support, and then look at the provider’s experience and expertise. Do they have the expertise in your field? Do they know specifically, or is it something new for them? What is their range of services? Do they cover everything that meets that list of needs that you identified in step one? What are their security policies? What are their service level agreements? What’s their level of customer support and responsiveness? How do they scale? Can they grow with your business, or are you going to exceed them? You have a one-man show handling 10 clients and if you grow, it’s going to not work for them. Are they able to scale as your business grows? What are their references? What does their pricing look like? What are their compliance and certification aspects? This sounds like a pretty good scorecard that I could use for evaluating current or looking at new. Is there anything not mentioned on that list?

Dr. Ron McFarland [00:53:40] Oh, I’m sure I’ve left something off, but I think it’s a pretty good initial pass at it.

Gregg Profozich [00:53:47] I think for our listeners, we will make these lists that Dr. Ron is mentioning today available on the CMTC website, on the transcript session for this podcast. Ron, a long list of things talked about there when considering a third-party IT provider. As I’m evaluating current or future one, what are some of the red flags that I would look for? What are the things that make me say, “Maybe I should look for someone else”?

Dr. Ron McFarland [00:54:16] Well, this is where I would, again, look at references as well as perhaps contacting other SMMs, and see what their experience has been with a particular IT service provider. Again, you want to look at the whole gamut, not just one or two. You could possibly look at three to five service providers when you’re looking for a service provider to support you. One of the aspects that we run into when a service provider seems to be going a little bit wonky is really around the lack of clear communication between the IT service provider and the SMM. Now, if the provider isn’t responsive or doesn’t communicate clearly and effectively, this certainly could be a sign of problems to come. You would think if you’re on a 72-hour hook when an incident occurs … I had one IT provider as an example. They said, “Oh, we’re only 8:00 to 5:00 Monday through Friday. On the weekends it’s extra cost. You can’t call me on the weekend. You just leave a message, and if I come in, I come in.” It’s like, “What?” It’s a little wacky, obviously.

Gregg Profozich [00:55:36] An incident occurs Friday at 6 PM, you got 72 hours to report it, and they don’t find out about it till Monday type of thing. Is that what you’re saying?

Dr. Ron McFarland [00:55:43] Exactly. A lot of the hacks, actually, interestingly enough, are launched on Friday evening. Isn’t that weird?

Gregg Profozich [00:55:54] Human behavior. We all want to go home for the weekend.

Dr. Ron McFarland [00:55:57] The attackers are launching their attacks when they know humans won’t be around to mitigate that. You want to make sure that you have clear communication—that 24/7, 365, or something of that nature—that really supports that robust communication if an incident does occur. Especially if your data is being hosted by the IT service provider, you don’t want to know Monday morning if it’s been hacked on Friday night at 11 PM.

Gregg Profozich [00:56:27] You’re 60 hours in potentially. You’re 60 hours into your 72 window. You got 12 hours to contact people. You’re jumping through hoops. You’re in a fire drill situation trying to get up and running.

Dr. Ron McFarland [00:56:37] Exactly. Every SMM has a unique way of doing business. You want to make sure that your IT service provider offers customized solutions. They may offer a one-size-fits-all solution. That may cause you to modify your policies, procedures, and processes. Do you want to do that? You want to check for customized solutions if that’s possible. If they have no references, if this is their first time out, they might be operating out of a garage somewhere. You want to make sure their references are pretty robust. If they have no long-term contracts or other customers, that could be a red flag, as well. Again, that’s the lack of experience or expertise. Especially dealing with sensitive data, whether it’s the DOD data or … I mentioned PCI DSS. That’s a standard for credit cards. If they have insufficient resources. For example, if I say, “Oh, I need X number terabytes of backup storage, log services, blah blah blah,” if they can’t support that, what’s called sim technology, in terms of looking at all your logs, coalescing them, and determining if there’s some incidents that are occurring on your system. If they can’t support that, then you might want to move forward with that, as well. The insufficient resources on their behalf may be a serious red flag. If they don’t have a disaster recovery plan, either. You can, as an SMM that’s hiring an IT service provider, say, “Let me look at your disaster recovery plan.” If they don’t have one, big red flag. If they have a lack of regular training and their employees don’t have any particular certifications that they can demonstrate, that is another red flag. Their training is lacking. If they don’t have a proactive maintenance strategy, you can say, “Well, let me see what your software patch management is,” as an example, “for your systems on the IT service provider’s side.” If they don’t have that, that’s a huge red flag. If there’s no transparency in billing, that’s another red flag. I had one client of ours come to me—they just started with us—and they said, “Hey, Ron, my IT service provider is charging me $6,500.” It was just one line item. It said Firewall: $6,500. No detail. I’m going, “Sixty-five hundred dollars for a firewall?” This was a small SMM. I asked them to go back to the provider and get a lot of detail. You want that detail and that transparency in billing, not just a … It’s almost like when you’re doing house maintenance. If your contractor says, “I’m going to charge you $15,000 for fixing your house,” and they don’t give you what that list is, that’s a big red flag. You want that transparency. You also want to know what cloud-based services they’re using. You want to make sure that whatever cloud-based services that they are using are FedRAMP Moderate compliant. That complies with what’s called DFARS 7010 clause. You also want to make sure that they are also NIST SP 800-171 R2 compliant. In the future, that’s going to be called CMMC. That refers to the flow-down discussion where we’ve been talking about. All of those red flags, if they don’t have these items in place, you might want to second-guess the use of that IT service provider because they’re not really beefed up enough. They may be sufficient for handling the mom-and-pop store that you might frequent that may serve you gelato and stuff like that, but maybe not your sensitive data.

Gregg Profozich [01:00:57] Ron, that’s a great list of information. I think much of it is intuitive, as you’ve described it and we’ve gone through. I’m not going to recap it here, but it will be available to our listeners on the CMTC website for anybody who wants to take a look at that list and use it as a reference point as they work through things. Thank you very much for that. Next question, I think, is: what is a shared responsibility model, and what are some of the best practices SMMs can follow when developing one?

Dr. Ron McFarland [01:01:22] Well, this is a really good point. If you’re hiring somebody or if you’re working with an existing IT service provider, you’ll want to build a shared responsibility model. A shared responsibility model is a framework that defines the responsibilities for each of the two parties—or you may have more—that are engaging in the security, management, and compliance of a system, service, or data. Let’s assume that you’re only using one. I’ll just say the one IT service provider. A few clients have had multiple service providers, but that gets into quite a complex situation. Let’s say one. That’s pretty much the common shared responsibility model. Let’s say that you’re handling controlled unclassified information between the SMM and the IT service provider. The IT service provider will typically outline their respective responsibilities from their perspective of each party, let’s say with the SMM. Likewise, the SMM will also map out what their responsibilities are as well as the IT service provider. It’s a negotiation. The SMM might say, “Well, I want you to manage all my hardware and software and make sure the network infrastructure is fine. I’ll manage these 3 computers, but you’ll manage the other 40.” The IT service provider will say, “Okay, I’ll do that. I’ll make sure your network is a layer,” what we call layered architecture. There’s that back-and-forth of who does what, that shared responsibility.  The SMM will also look at the classification and categorization of CUI-based data based on the contract requirements from the DFARS clauses. As an example, CMTC works with the SMM. This sounds a little bit like an advertisement, but this would give you an idea. We typically work with an SMM to provide training that supports the SMM’s cybersecurity posture. We look at the controls. We make sure that the SMM has those dialed in as well as their IT service provider as a separate set of trainings, if you will. Access control. The SMM manages access control mechanisms, including user authentication, authorization, and privilege management for the CUI information. They could pass that over to the IT service provider. The physical security, as well. But both sides also need a security set of policies and procedures. That’s an agreement that needs to be dialed in. Risk management. Now, risk management is often glossed over, but you want to look at risk asset management, as well. You want to determine what each risk category, each asset in your organization has. For example, your computers, your file servers, your firewalls, etc. You also want to make sure on the other side, on the IT service provider, they have that risk asset management dialed in. The incident response. We named that a couple of times through our presentation. That’s an articulated agreement. The IT service provider. Also, you want to make sure their infrastructure security is dialed in for all of their servers, their networks. You want to make sure that they’re not using a flat network architecture, as well. Their system configuration. We want to make sure everything’s hardened. If they’re using, again, cloud-based, that it’s FedRAMP Moderate; it complies with the DFARS 7010 cloud computing requirements. That they’re also doing patch management, they’re doing security monitoring, that third backup and recovery is dialed in. You’d be surprised. They might be doing backup and recovery for you as an SMM, but maybe their backup and recovery is not as robust, as secure as you’d want them to be. Also, the compliance measures. We’ve got a lot of dancing back and forth with that articulation between what we typically term as a shared responsibility model. If I can recap, the shared responsibility model is a list of your expectations, objectives on your side as an SMM. The IT providers should have a similar list. Then you come together, marry those to make sure there are no gaps in that list and that if there are gaps, that those are addressed.

Gregg Profozich [01:06:23] It sounds like it’s a two-part thing. The SMM has responsibilities. The IT service provider has responsibilities. You really need to map those out, articulate them clearly, then work through comparing them, make sure that everything is coherent and coordinated.

Dr. Ron McFarland [01:06:39] Yes.

Gregg Profozich [01:06:40] Excellent. How can an SMM make sure that their third-party IT provider is following best practices?

Dr. Ron McFarland [01:06:47] Again, this boils down to that wonderful term I keep mentioning, the service level agreement. Now, the service level agreement … I’ve worked with some of our SMMs before, where their service level agreements that they received from the IT service provider was three or four lines. It needs to be a comprehensive document. That comprehensive document embodies things like regular audit and reviews. The SMM would periodically review what their IT service provider is providing to them. That system audit would also determine how responsive that IT service provider is, how they’re actually managing their own systems, if they become out of scope, how that IT service provider will fill that gap. Let’s say if they’re not patching their systems frequently enough, how that gap will be managed? That’s part of the service level agreement. The security policies ensure that the IT provider complies with your own company’s security policies. Now, if you’re on the hook with DFARS as well as … I’ll throw in the PCI DSS credit card stuff. That’s aside from what we really do. But let’s say if you’re on the hook as an SMM for the DFARS, your DOD stuff, as well as the PCI DSS because you’re accepting credit cards, you want to make sure that your IT service provider is continually up-to-date with those two standards. As an example, that their security policies are dialed in constantly. The compliance and standards, for example, the flow down, the SP 800-171. I mentioned that for the CUI, the secure sensitive data that DOD passes on to you as an SMM. We want to make sure that they’re constantly in compliance. Now, let me mention one thing about when I say constantly in compliance. There’s 110 controls with the NIST SP 800-171 that the SMM is mandated, is required by law and by contract to comply with. Let’s say if a firewall gets changed out or three or four computers gets changed out. Before those get changed out, let’s say you’ve got all 110 controls check marked as yes, we’re in compliance. Once you change something in the environment, all of a sudden, you’re out of compliance for those few items until you make sure they’re buttoned up in terms of encryption, security. You might drop down below that 110 set of controls down to, let’s say, 85. Then you have to build back up to the 110. On the IT provider side, likewise, they’re constantly changing things to support their 30 other SMMs. Let’s say they’re changing firewalls or changing out hardware and software. They fall in and out of compliance. You want to make sure that they’re constantly striving to achieve full compliance on their side with the SP 800-171. Another item is disaster recovery and business continuity planning. You want to make sure you’re dialed in, that’s tested, as well. Regular communication and reporting, not just with a billing cycle. Unfortunately, we see some of that occurring. The only time they hear from their IT provider is when they receive their monthly bill. That’s not a good thing. There should be a regular meeting where you report on issues you have as an SMM and where the IT provider, quite frankly, might say, “Okay, we’ve had some problems, but here’s how we’ve mitigated them,” or “We’ve had some changes in our environment. We fell short of compliance. Now we’re back up to compliance because we made some changes.” Other things that you want to look at is ongoing training and updates. Again, we call this a vendor risk assessment. You want to conduct a thorough vendor risk assessment before engaging with a third-party IT provider. I want to mention this, as well. Exit Strategy. You always want to make sure you’re dialed in with some plan for exiting. I had mentioned a vendor lock-in, where an IT provider is using unique software. Maybe they put stuff in a weird format, an unusual format. If you exit, you want to make sure that you get your data in a format, or it’s always stored in a format that is more common. If you do exit, you want to know the penalties. You want to know what your file status is what your record status is so that you can transition over to another IT service provider pretty easily. You also want to know the costs. We had one IT service provider bill an SMM an exorbitant amount of money when they transitioned over to another IT service provider. Bottom line, unfortunately, the SMM said, “Well, we had to pay it. I didn’t have it in my contract. Of course, I didn’t know what all those extra charges were.” It was something done well before we were pulled on board. You want to make sure your exit strategy when you transition from one to another … Maybe you’re transitioning because the service is better at another service provider; maybe it’s more cost-effective, or maybe you had problems with an existing IT service provider. You want to make sure that exit strategy is emphasizing that because I know that’s a pain point. These are some items that you want to consider.

Gregg Profozich [01:12:48] Again, a very detailed list of best practices to look for within your providers. Again, we’ll make this available on the podcast page of the CMTC website. Ron, we’ve covered an awful lot of ground today. Do you have any final thoughts or advice for SMMs?

Dr. Ron McFarland [01:13:03] Yes, especially when it comes to contractual. Working with the DOD, you want to work very actively on the NIST SP 800-171 R 2 compliance. That’s what supports your DFARS regulations that you’re obligated to. Keep in mind it’s just not a checklist as one story. We’ve gone in before to help support SMMs. One story that I have … Several years back, one SMM, I walked in. They said, “Oh, we’re already at 94% done. We just need your help with the 6%.” I said, “No, let’s go through everything.” By the time we went through everything—we go through everything looking for not only the checklist compliance but cybersecurity resilience—they were really down to about 23%. They were okay with that hard and fast review that we did with them, because they wanted to make sure that they’re fully not only compliant, really cyber secure. Another item is if you’re using a current IT provider, make sure that they are in compliance with the SP 800-171, because you as the DOD contractor, in your contract you are legally bound. This gets back to something called the False Claims Act. You are legally bound by that contract to make sure your data is secure. If you’re passing it over the wall to an IT service provider, and you’re signing off that you’re secure and they’re not—there’s that flow-down clause—you’re on the hook. You want to make sure you’re on the hook legally. You want to make sure your IT service provider is buttoned up. I got two more thoughts. Remember that if you’re using a cloud-based service or if your IT service is using a cloud-based service and you have CUI data—again, I’m emphasizing FedRAMP Moderate—you need to make sure. You just can’t throw it out on, let’s say, some IDrive somewhere and assume that it’s secure because it’s probably not. Now, I want to mention … This sounds a little bit like an advertisement, but it really isn’t. CMTC has worked with many SMMs who have used IT service providers. Again, about 80% of our SMMs use IT service providers. That’s what we’ve done before. These are some risks and suggestions that we have—we say that as the CMTC cyber team—for working with IT service providers in general. Just let us know.

Gregg Profozich [01:16:02] Well, Ron, thank you so much for joining me today and for sharing your perspectives, insights, and expertise with me and with our listeners.

Dr. Ron McFarland [01:16:09] Well, thank you very much. It’s been my pleasure.

Gregg Profozich [01:16:13] To our listeners, thank you for joining me for this conversation with Dr. Ron McFarland on managing the cybersecurity practices of IT providers. Thank you so much. Have a great day. Stay safe and healthy. Thank you for listening to Shifting Gears, a podcast from CMTC. If you enjoyed this episode, please share it with others and post it on your social media platforms. You can subscribe to our podcasts on Apple Podcasts, Spotify, or your preferred podcast directory. For more information on our topic, please visit CMTC is a private nonprofit organization that provides technical assistance, workforce development, and consulting services to small and medium-sized manufacturers throughout the state of California. CMTC’s mission is to serve as a trusted adviser providing solutions that increase the productivity and competitiveness of California’s manufacturers. CMTC operates under a cooperative agreement for the state of California with the Hollings Manufacturing Extension Partnership Program, MEP, at the National Institute of Standards and Technology within the Department of Commerce. For more information about CMTC, please visit For more information about the MEP National Network or to find your local MEP center, visit


New call-to-action

Topics: Cybersecurity

Tell Us What You Think