The new Cybersecurity Maturity Model Certification (CMMC) standard is here, and it’s being rolled out for the 300,000 non-federal organizations that make up the Pentagon’s supply chain in a staged fashion over the next five years.
The core framework for this new 5-tiered cybersecurity standard is defined and published, and the government is moving as fast as it can to build out the massive infrastructure of trainers, assessors, and documentation to support it.
The Compliance Manager CMMC guides you through the certification-readiness process, and once certified, helps you document your ongoing compliance to the standard.
MSPs who are paying attention have a great opportunity to get in on the ground floor of this huge development to expand your business.
If you have any clients that currently do business with the Department of Defense (DoD), they now have serious new IT Assessment requirements related to their cybersecurity practices that need documentation.
And if you don’t have any clients in the DoD supply chain, the estimated 300,000 businesses that make up the DoD supply chain will create a demand for compliance services that will certainly outweigh supply for the immediate future.
The CMMC Interim Rule / NIST 800-171 Implementation
CMMC was created to ultimately inject more defense contractor accountability into the protection and privacy of sensitive government contract information. Full implementation into all new Defense Department contracts will take five years. But in the meantime, an Interim Rule kicked in on Nov. 30, 2020 with tough new requirements for all new and renewing contracts:
A self-assessment, reviewing implementation of 110 cybersecurity controls defined in NIST (SP) 800-171
A System Security Plan (SSP) that provides the details of the envirnoment and implementation of the controls
A Plan of Action & Milestones (POA&M) that defines which controls are not addressed and specific timeframes and plans for implementation
Most of the organizations that these requirements apply to are small and medium sized, without the internal IT resources to perform the assessment or prepare the documentation. The CMMC module guides you through the assessment process and automates the report generation.
The Compliance Manager CMMC module is being rolled-out in a staged fashion and it will keep pace with the ongoing roll-out of the various CMMC developments.
Since each CMMC Level has its own specific requirements for certification, the Compliance Manager CMMC module is designed allow users to select their target CMMC level for compliance management.
Each CMMC Level builds upon the previous level, and the first three levels are based on implementing an increasing number of the 110 cybersecurity controls defined in NIST 800-171. Since the Interim Rule requires full implementation of all 110 controls found in NIST 800-171, the CMMC module includes a complete NIST 800-171 assessment package that meets all of the DoD’s procedural and documentation requirements.
So it is recommended that all organizations immediately perform their 800-171 assessments and generate the required documents. Doing so will automatically achieve all of the requirements of CMMC Level 1 and Level 2 prep, and get the clients 85% completed on the journey prepping for CMMC Level 3.
This approach allows for a systematic and methodical implementation of this complex standard. In fact, the Certified Professionals who perform the assessments also must show proficiency in performing assessments at each Level before they can be certified to do assessments at the next Level. Once the client has completed the NIST 800-171 assessment requirements completed, if a future contract includes a CMMC Level 3 certification requirement, Compliance Manager will be ready to complete the prep work needed for the 3PAO assessment.