In highly regulated industries like healthcare, finance, and government, compliance is a critical part of doing business. Customers require robust protection of their systems and data, and the onus is on service providers to keep abreast of all guidance and regulations.
The latest version of the compliance framework released by the Department of Defense (DoD) is the Cybersecurity Maturity Model Certification (CMMC) 2.0. Like its predecessor, it is intended to implement cybersecurity best practices across the defense-industrial base (DIB) and vendor landscape. These guidelines span many domains of security, from configuration management to security assessment and incident response. While specifics about the CMMC are still being released, one major point is still clear: all organizations doing business with DoD, regardless of size or market segment, will be required to meet the level 1 requirements and possibly undergo a security audit by a CMMC Third-Party Assessment Organization (C3PAO).
So how can your company prepare for this audit?
For one thing, conducting a comprehensive internal review is a key first step towards CMMC compliance. Companies that wish to be as prepared as possible must also keep a keen eye on emerging information as it is released by The Cyber-AB, formerly known as the CMMC Accreditation Body (CMMC-AB). Here at ECS, we have provided risk mitigation and compliance as a service to customers for over 20 years. Our expert personnel are ready to help your company prepare for the CMMC audit.
Here at ECS, we have provided risk mitigation and compliance as a service to customers for over 20 years. Our expert personnel are ready to help your company ace the assessment and navigate CMMC 2.0 compliance.
ECS Vice President of Governance, Risk, and Compliance
Diagnosing the Present State
To become audit ready, you must first diagnose how well your company adheres to your desired CMMC maturity level. Your assessment should not be a checklist or cursory review, but a meticulous investigation of security systems, processes, and protocols — a comprehensive approach that requires dedicated, qualified resources.
As a Registered Provider Organization (RPO), ECS has trained Registered Practitioners (RPs) who provide advice, consulting, and recommendations to clients. This approach ensures that our customers receive a comprehensive security solution and can reach their overall security posture in preparation for a CMMC audit.
Tracking the Unknown
Although these past few years have been very challenging for many organizations, the DoD and The Cyber-AB continue to move full steam ahead in encouraging organizations to prepare for the CMMC requirement.
While rulemaking is still in progress, the DoD instantiated DFARS Clause 252.204204-7020, which requires contracts to perform a NIST 800-171 assessment and place assessment scores in the Supplier Performance Risk System (SPRS). Additionally, these scores will have to be updated a minimum of every three years to ensure a contracting organization can continue to do business with the DoD.
For new contracts that will include DFARS Clause 252.204-7021, companies must present their CMMC certification at the time of award. This means there is some time to prepare, but it is in an organization’s best interest to start as soon as possible.
By relying on trusted partners like ECS to prepare for CMMC, organizations can proceed uninterrupted in their efforts to serve DoD and its mission to keep our country safe.