In highly regulated industries like healthcare, finance, and government, compliance is a critical part of doing business. Customers require robust protection of their systems and data, and the onus is on service providers to keep abreast of all guidance and regulations.
The latest compliance framework released by the Department of Defense (DoD) is the Cybersecurity Maturity Model Certification (CMMC), an effort to implement cybersecurity best practices across the vendor landscape. These guidelines span many domains of security, from asset and configuration management to situational awareness and incident response, and include five levels of increasingly comprehensive controls, from Level 1 (Basic Hygiene) to Level 5 (Advanced/Progressive). While many logistical details about CMMC have yet to be released by DoD, one major change is clear: all organizations doing business with DoD, regardless of size or market segment, will be required to undergo a security audit by an independent third-party assessment organization (3PAO).
So how can your company prepare for this audit?
For one thing, conducting a comprehensive internal review is a key first step towards CMMC compliance. Companies that wish to be as prepared as possible must also keep a keen eye on emerging information as it is released by DoD. Here at ECS, we have provided risk mitigation and compliance as a service to customers for over 20 years. Our expert personnel are ready to help your company prepare to pass the CMMC audit.
”Here at ECS, we have provided risk mitigation and compliance as a service to customers for over 20 years. Our expert personnel are ready to help your company prepare to pass the CMMC audit.Shayla TreadwellECS Director of Cybersecurity Compliance
Diagnosing the Present State
To become audit ready, you must first diagnose how well your company adheres to the requirements outlined in your desired CMMC level. Your assessment should not be a checklist or cursory review, but a careful, even meticulous investigation of security systems, processes, and protocols—a comprehensive approach that requires the dedicated resources of a risk compliance team.
At ECS, our team begins every preparedness evaluation with a compliance consultation, which finds the missing pieces of a company’s security posture. Next, a remediation plan will empower a company to advance from the current state to one that achieves CMMC compliance. This process requires tracking information from DoD, which means that compliance teams must watch carefully for new information on CMMC requirements.
Tracking the Unknown
Given the progressive rollout of CMMC, many questions remain about its specific implementation. For instance, some of the NIST SP800-171 guidelines that comprise the CMMC requirements have only been released within the last month, while others exist only in draft form. Similarly, little information has been released on 3PAOs. The CMMC Accreditation Body has yet to detail who will serve as these assessors, as well as the process to become certified to perform this role. As for the audit itself, it is not clear how companies will provide evidence of their compliance with CMMC regulations.
Fortunately, companies won’t need to certify compliance until contract award—likely not until early 2021. This means that organizations may have a few more months to prepare than they think they do. By relying on trusted partners like ECS to prepare for CMMC, organizations can continue uninterrupted in their efforts to serve DoD and its mission to keep our country safe.