The new Cybersecurity Maturity Model Certification (CMMC) standard is here, and it’s being rolled out for the 300,000 non-federal organizations that make up the Pentagon’s supply chain in a staged fashion over the next five years.
The core framework for this new 5-tiered cybersecurity standard is defined and published, and the government is moving as fast as it can to build out the massive infrastructure of trainers, assessors, and documentation to support it.
The Compliance Manager CMMC guides you through the certification-readiness process, and once certified, helps you document your ongoing compliance to the standard.
MSPs who are paying attention have a great opportunity to get in on the ground floor of this huge development to expand your business.
If you have any clients that currently do business with the Department of Defense (DoD), they now have serious new IT Assessment requirements related to their cybersecurity practices that need documentation.
And if you don’t have any clients in the DoD supply chain, the estimated 300,000 businesses that make up the DoD supply chain will create a demand for compliance services that will certainly outweigh supply for the immediate future.
CMMC was created to ultimately inject more defense contractor accountability into the protection and privacy of sensitive government contract information. Even though it will take years to fully implement, components of it are already in place and it’s important for MSPs and their clients to get started preparing right now.
Meanwhile, the DoD has just released an Interim Rule designed to beef up the reporting and compliance requirements around the current DoD cybersecurity standard, NIST (SP) 800-171. DoD is now taking comments on the new rule, which will require DoD contractors on all new contracts to perform their own guided 800-171 compliance self-assessments, and to submit their score and System Security Plan to the government.
In the eventuality that this interim rule takes effect, we are working on some new tools streamline the self-assessment, automatically score it, and generate all the necessary documents.
In the meantime, MSPs who don’t yet have the Compliance Manager Platform should pick it up now to start going through onboarding process so they are ready to assist their clients and prospects with these new requirements.
The Compliance Manager CMMC module is being rolled-out in a staged fashion, and it will keep pace with the ongoing roll-out of the various CMMC developments.
Since each CMMC Level has its own specific requirements for certification, the Compliance Manager CMMC module is designed allow users to select their target CMMC level for compliance management.
Each CMMC Level builds upon the previous level, and so it is recommended that organizations establish their certifications and achieve compliance at each level in succession before attempting to move up to the next level.
This approach allows for a systematic and methodical implementation of this complex standard. In fact, the Certified Professionals who perform the assessments also must show proficiency in performing assessments at each Level before they can be certified to do assessments at the next Level.