Small Business Path to Compliance

By: Katie Bigelow, President and Founder of Mettle Ops

I don’t even know what prompted me to go, but there I was sitting in a large room at MMTC getting my first briefing on NIST.  At that time, my tiny business was myself and 3 other people sitting in the front room of my house.  The presenter explained, in detail, what we needed for cybersecurity requirements while I sat there silently trying not to kick something.  I had built my business by sheer grit and determination, and now I had a new obstacle.  The barriers to entry in the defense industry are the equivalent of giant, transparent walls.  We can all see what’s happening on the other side, but we just keep climbing a wall to find a new one in its place. 

I am reasonably adept at small office computer management.  We were hosted by Zoho with a domain and a pretty decent website that I designed myself.  My budget for cybersecurity was $0. I understood the reasons and the urgency for cybersecurity but had no idea where to start to become NIST compliant. 

I went back to the office feeling discouraged.  I wasn’t even sure if Zoho was hosted in the United States.  (It wasn’t at the time.)  In the months that followed, I reached out to my resources for help, attended training, and attempted to read the NIST standard myself. The solutions that I could find were high dollar consultants that were geared to assist mid-size to large businesses.  I found one that was willing to help.  He gave me a discounted rate that was still far more than I had paid for a service, and together we went on a hunt to find an MSP to help my small business.  The MSPs we met with weren’t interested in the hassle. 

Even though we were in the process of working toward compliance, I was still at a loss.  We ultimately found an MSP that was amazing who helped me understand the process better.  My investment felt like it was growing exponentially.  It was a really tough process.  I was trying to bootstrap a small business and respond to NIST consultant questionnaires. We upgraded to Microsoft, switched to a server, implemented two-factor, and so on.  Eventually, the budget ran out.  I had two options, pause the NIST compliance or pause my information systems.  While the consultant got me started, I couldn’t keep going with him.  That left my MSP and I to struggle forward with NIST on our own.  By this time, my vendors were reaching out asking how I was getting to NIST compliance, and I just shared my path forward.  My MSP started to take on more and more customers that wanted NIST compliance from a small business standpoint. 

Managing compliance is up to the beholder.  We could use forms, spreadsheets, or whatever to document and time stamp the daily changes that my company was making.  Every new employee represents a change.  Every new piece of hardware means more documentation.  Eventually, we discussed switching our documentation to Microsoft Access.  It was so 1990, but it was what we could afford. By this time, my MSP had become a big part of our organization.  Together, we decided that other companies could benefit from our Access documentation of NIST, and NUDG was born. 

Microsoft Access wouldn’t serve us for very long, and we quickly pivoted to a Zoho platform and created NUDG 2.0. In response to US cybersecurity standards, Zoho had adjusted and would now meet the standards.  As we gain momentum in our software sales, we have aggregated customer feedback and road mapped a ton of new features on the horizon including NUDG 3.0 in Microsoft Azure. 

The path to compliance was expensive and required a lot of adjustments.  My company now holds four contracts that require NIST with a fifth contract currently in the award process.  This represents as much as $42M in revenue for the future of the Mettle Ops.  It turns out the struggle, heart ache, and investment were worth it.

As a parting thought, let me give you a hint.  Search your contracts for 7012, 7019, 7020, and 7021.  If you have any combination of DFARS 252.204 with these clauses, you NEED to check the first page of the contract.  If your signature is on it, you have already committed to comply. You are legally culpable for the commitment you already made.