The new Cybersecurity Maturity Model Certification (CMMC) standard is here, and it’s being rolled out for the 300,000 non-federal organizations that make up the Pentagon’s supply chain in a staged fashion over the next five years.
The core framework for this new 5-tiered cybersecurity standard is defined and published, and the government is moving as fast as it can to build out the massive infrastructure of trainers, assessors, and documentation to support it.
The Compliance Manager CMMC platform guides you through the certification-readiness process, and once certified, helps you document your ongoing compliance to the standard.
MSPs who are paying attention have a great opportunity to get in on the ground floor of this huge development to expand your business.
If you have any clients that currently do business with the Department of Defense (DoD), they now have serious new IT Assessment requirements related to their cybersecurity practices that need documentation.
And if you don’t have any clients in the DoD supply chain, the estimated 300,000 businesses that make up the DoD supply chain will create a demand for compliance services that will certainly outweigh supply for the immediate future.
The CMMC Interim Rule / NIST 800-171 Implementation
CMMC was created to ultimately inject more defense contractor accountability into the protection and privacy of sensitive government contract information. Full implementation into all new Defense Department contracts will take five years. But in the meantime, an Interim Rule kicked in on Nov. 30, 2020 with tough new requirements for all new and renewing contracts:
A self-assessment, reviewing implementation of 110 cybersecurity controls defined in NIST (SP) 800-171
A System Security Plan (SSP) that provides the details of the envirnoment and implementation of the controls
A Plan of Action & Milestones (POA&M) that defines which controls are not addressed and specific timeframes and plans for implementation
Most of the organizations that these requirements apply to are small and medium sized, without the internal IT resources to perform the assessment or prepare the documentation. The CMMC module guides you through the assessment process and automates the report generation.
Built So You Can Gradually Get Up To Speed — One Level At A Time.
Since each CMMC Level has its own specific requirements for certification, the Compliance Manager CMMC module is designed allow users to select their target CMMC level for compliance management, and build upon the work they’ve done.
Each CMMC Level builds upon the previous level, and the first three levels are based on implementing an increasing number of the 110 cybersecurity controls defined in NIST 800-171. Since the Interim Rule requires full implementation of all 110 controls found in NIST 800-171, the CMMC module includes a complete NIST 800-171 assessment package that meets all of the DoD’s procedural and documentation requirements.
Compliance Manager gives you two options for performing your own 800-171 self-assessment:
Perform a CMMC Level 2 assessment on your network, and then use the 800-171 supplemental questionnaire to “finish” the assessment on the missing controls, or
Perform a CMMC Level 3 assessment, which “checks all the boxes” for the 800-171 assessment, and then some.
Either approach allows for a systematic and methodical implementation of this complex standard.