Appalachia Technologies Blog

In July 2025, York City, Pennsylvania faced every municipal leader's nightmare. Ransomware brought the city to a standstill - email down for two weeks, parking systems offline for three, financial audits pushed even further behind. Hackers demanded $1 million. Negotiators settled at $500,000, paid by insurance. The city's deductible was $25,000. But the real cost? Staff diverted for weeks, lost parking revenue, damaged public trust, political fallout. While York City's story made headlines, it wasn't an outlier. It was a preview of what's coming to a municipality near you.

In our work responding to ransomware incidents across Pennsylvania and beyond, we've seen this pattern repeat: preparation matters enormously, and most municipalities don't have it. This is not fear-mongering. It's math. And you need to understand it before the screens go black.

In my first blog of this series (Defining and Identifying Your Attack Surface), we covered what makes up your organization’s attack surface, and how it’s likely bigger (and more complex) than you realize. But knowing what’s out there is only the beginning. If you want to stay ahead of threats, you need to continuously monitor your environment, keep your asset inventory up to date, and prioritize which exposures deserve your attention.

Let’s break down what that really looks like in practice.

In today’s evolving threat landscape, understanding your attack surface is no longer optional, it’s foundational. Before you can defend your organization effectively, you need to know what you’re defending. That’s why the first step in any strong Attack Surface Management (ASM) program is clearly defining and identifying your attack surface.

But what exactly is an “attack surface”? Let’s break it down.

If you had told me a few years ago that my calendar would be split between virtual CISO responsibilities, mentoring team members, and crafting cybersecurity campaign content with a marketing team, I might have raised an eyebrow. But today, that’s just a regular Tuesday. As the Practice Lead for NIST, SOC2, and CIS GRC Services at a cybersecurity consulting firm, no two days look exactly alike, and that’s exactly what makes the role both challenging and rewarding. However, my day has looked like this before and this includes most of my responsibilities.

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Level 2 is based on the 110 security practices from NIST SP 800-171 rev 2. These practices are designed to protect controlled unclassified information (CUI) within the defense supply chain. For most DoD contractors, achieving CMMC Level 2 compliance is now mandatory, but the process is challenging. Organizations must navigate evolving requirements, implement technical controls, manage costs, train their workforce, and prepare for stringent audits. Here’s an overview of the top challenges contractors face along with the best practices for overcoming them.

In today’s increasingly interconnected world, safeguarding sensitive government data is a top priority for federal agencies—and for the contractors they partner with. While classified information has long been protected through well-established regulations, a new category of “Controlled Unclassified Information” (CUI) has emerged in recent years, prompting additional guidance and compliance requirements. Enter the Federal Acquisition Regulation (FAR) rule for CUI.

In this blog post, we’ll explore what CUI is, why it matters to government contractors, and how the FAR rule on CUI will shape compliance requirements going forward.