By Dr. Shayla Treadwell
Executive Director, Governance, Risk and Compliance
In highly regulated industries like healthcare, finance, and government, compliance is a critical part of doing business. Customers require robust protection of their systems and data, and the onus is on service providers to keep abreast of all guidance and regulations.
The latest compliance framework released by the Department of Defense (DoD) is the Cybersecurity Maturity Model Certification (CMMC), an effort to implement cybersecurity best practices across the defense-industrial base (DIB) and vendor landscape. These guidelines span many domains of security, from asset and configuration management to situational awareness and incident response. While logistical details about the CMMC are still being released, one major change is clear: all organizations doing business with DoD, regardless of size or market segment, will be required to undergo a security audit by a CMMC Accreditation Body (CMMC-AB)-certified Third-Party Assessor Organization (C3PAO).
So how can your company prepare for this audit?
For one thing, conducting a comprehensive internal review is a key first step towards CMMC compliance. Companies that wish to be as prepared as possible must also keep a keen eye on emerging information as it is released by the CMMC-AB. Here at ECS, we have provided risk mitigation and compliance as a service to customers for over 20 years. Our expert personnel are ready to help your company prepare for the CMMC audit.
CMMC FACTS
- DoD released CMMC, a new cybersecurity compliance framework, in January 2020
- CMMC unifies previous requirements laid out in the Defense Federal Acquisition Regulation Supplements (DFARS) and National Institute of Standards and Technology (NIST) frameworks
- Based on DoD guidance, contractors can expect to see RFPs requiring CMMC compliance in 2021
- ECS provides consulting services to help companies prepare for upcoming CMMC security audits
”Here at ECS, we have provided risk mitigation and compliance as a service to customers for over 20 years. Our expert personnel are ready to help your company prepare to pass the CMMC audit.
Shayla TreadwellECS Director of Cybersecurity Compliance
Diagnosing the Present State
To become audit ready, you must first diagnose how well your company adheres to your desired CMMC maturity level. Your assessment should not be a checklist or cursory review, but a careful, even meticulous investigation of security systems, processes, and protocols—a comprehensive approach that requires dedicated, qualified resources.
As a Registered Provider Organization (RPO), ECS has trained Registered Practitioners (RPs) who provide advice, consulting, and recommendations to clients. This approach ensures that our customers receive a comprehensive security solution and can reach their overall security posture in preparation for a CMMC audit.
Tracking the Unknown
Although, 2020 was a very challenging year for many organizations, the DoD and CMMC-AB continue to move full steam ahead in encouraging organizations to prepare for the CMMC requirement.
To help bridge the gap of implementation for CMMC, in late 2020, the DoD instantiated DFARS Clause 252.204204-7020, which requires contracts to perform at the minimum a NIST 800-171 assessment and place assessment scores in the Supplier Performance Risk System (SPRS). Additionally, these scores will have to be updated at the minimum every three years ensuring that contracting organizations can continue to do business with the DoD.
For new contracts that will include DFARS Clause 252.204-7021, companies must present their CMMC certification at the time of award. This means there is some time to prepare, but it is in an organization’s best interest to start as soon as possible.
By relying on trusted partners like ECS to prepare for CMMC, organizations can proceed uninterrupted in their efforts to serve DoD and its mission to keep our country safe.
