Resource and cost impact of levying these security controls on the internal systems of small business cannot be overstated. The success of major programs is built on such companies that could potentially be put out of business due to control implementation. For example, NIST 800-171 3.5.3 introduces a multifactor requirement for network access of non-privileged accounts. Since a company’s email system will store CUI, and generally all employees use that system, this requirement effectively mandates multifactor for all employees within a company. Beyond cost, there is an overarching concern on the efficacy of certain security controls.
Resource and cost impact of levying these security controls on the internal systems of small business cannot be overstated. The success of major programs is built on such companies that could potentially be put out of business due to control implementation. For example, NIST 800-171 3.5.3 introduces a multifactor requirement for network access of non-privileged accounts. Since a company’s email system will store CUI, and generally all employees use that system, this requirement effectively mandates multifactor for all employees within a company. Beyond cost, there is an overarching concern on the efficacy of certain security controls.