The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program Final Rule is now live. This means that the DoD can start requiring defense contractors handling the most sensitive federal information to show compliance with the new regulations right now in order to continue doing business with the DoD.
CMMC 2.0 is intended to strengthen protections of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
If your business stores, transmits, or processes FCI and/or CUI, you will need to meet the standards outlined in CMMC 2.0 to renew an existing DoD contract or to obtain a new one.
Language for the new requirements will now start appearing in DoD contracts.
Many of the security controls mandated in the new regulations are part of existing cybersecurity frameworks. The government determined, however, that companies were not always accurately reporting their security compliance measures.
So, CMMC 2.0 establishes a mandatory assessment and reporting process for businesses handling FCI or CUI—including reaffirming every year that they have maintained compliance.
Do you need to hire an outside managed IT service provider to get CMMC certified? Which CMMC security controls will you need to satisfy? How long will it take to prepare for a CMMC assessment?
After reading this article, you will have a more thorough understanding of the CMMC process and the security requirements you will need to implement to get CMMC certified.
With this information, you’ll be able to determine if your business would benefit from working with a managed IT service provider (MSP) to guide you through the certification process.
Under the new regulation, companies are split up into three different categories according to the type of federal information they handle: Level 1(Foundational), Level 2 (Advanced), and Level 3 (Expert).
Level 1 companies must meet 15 basic security requirements and protocols outlined in the Federal Acquisition Regulation (FAR). They will need to complete an annual self-assessment and report the results to the DoD.
Businesses that fall under Level 2 must comply with 110 security controls across 14 control families in NIST SP 800-171.
Again, depending on the type of sensitive federal information they handle, Level 2 companies will need to either conduct a self-assessment or have their IT infrastructure audited by a certified third-party assessment organization (C3PAO).
Level 3 organizations must satisfy the security controls for the first two levels, plus an extra 24 advanced security measures in NIST SP 800-172. These businesses will need to get assessed by DoD assessors.
All businesses at every level will need to reaffirm continued compliance each year.
Related Article: CMMC Rule Approved: Next Steps For Compliance
The short answer is, no. The CMMC 2.0 regulation does not stipulate that organizations doing business with the DoD have to work with a managed IT service provider (MSP) in order to get CMMC certified.
However, using an MSP’s team of experienced IT professionals with broad IT and cybersecurity expertise, as well as regulatory and industry best practice knowledge, can help ensure that you don’t miss a key step in the process, or overlook a critical CMMC compliance requirement that could cost you valuable time and money.
Related Article: Gain A Competitive Edge: Strategic vCIO And TAM Support in Managed IT
If you don’t meet the required CMMC security standards showing how your business is protecting sensitive FCI and CUI, you could end up losing your DoD contract.
An MSP can conduct a CMMC gap analysis to assess your entire IT infrastructure and identify any existing security vulnerabilities within it and then weigh those gaps against the CMMC requirements for your level.
Depending on your business and IT environment, completing a gap analysis can take anywhere from a few months to well over a year.
Related Article: How to Perform a CMMC Gap Analysis: A Step-by-Step Guide to Compliance
Whether or not you should use an MSP for help achieving compliance depends largely on your business, existing security measures, internal IT staff, and overall IT needs.
How many employees and other users do you have? What shifts do they work? How do they access your network (in-person, remote, hybrid)?
Knowing where and how FCI or CUI is being stored, accessed, or transferred across your network will help you evaluate your security strengths and weaknesses against the CMMC controls.
How many locations do you have? How many buildings are connected to your network? How is your technology laid out within your space? (For instance, do you have a separate server room?)
What type of operating system are you using?
How complex is your company’s IT infrastructure? How many workstations, switches, servers, and firewalls do you have? What software, applications, and systems are tied to your network? Is your data being stored on prem, in the cloud, or hybrid?
Have you implemented principle of least privilege (PoLP) controls to limit access to sensitive information to authorized users on an as-needed basis?
Are you using outdated or legacy equipment that is past its recommended lifespan? Ensuring that your equipment is up-to-date means they are better equipped with the latest security defenses to keep your devices safe from malicious threats.
Using updated equipment also means that any necessary software updates or patching that needs to be done is compatible across all of the devices connected to your network with minimal disruption.
Have you conducted a CMMC gap analysis to thoroughly analyze your IT infrastructure and existing cybersecurity measures to see how they compare to the CMMC requirements for your level?
Have you developed a detailed Plan of Action and Milestones (POAM) to spell out exactly how you plan to fix any security issues within your IT environment found during the gap analysis?
Your POAM is a critical component of the CMMC process because it will form the basis for your assessment.
Have you developed and adopted an incident response plan (IRP) in the event of a cyber incident? Implementing a strong IRP is also another requirement of CMMC.
Businesses must have a strong IRP in place outlining not only the technology and protocols, but also the internal and external stakeholders who will be notified after a cyber incident.
Related Article: Why You Need An Incident Response Plan Before A Cyber Incident Happens
Are you providing employee security awareness and training so that your staff is aware of the latest cyber threats and how to avoid falling prey to a virtual scheme that could open the door to a cyber attack?
An estimated 95 percent of cyber incidents stemming from human error. So, your workforce can become your organization’s first line of defense against a cyber attack or data breach by offering regular cybersecurity education using real-world training modules and exercises.
We recognize that managed IT support is not right for everyone. If you have a small business with fewer than 10 employees, or you have an existing internal team of qualified IT professionals, then you likely don’t need managed IT services.
If you’re still unsure if you should use an external managed IT company to help you achieve CMMC compliance and certification, consider the following:
Whichever direction you choose to go in, we encourage you to do your research when shopping for a managed IT company. Read this article to find out how to decide if managed IT is right for your small or medium-sized business.
Uncertain if you’d be getting your money’s worth with managed IT support, read here to learn about Managed IT Services: What’s Your True ROI?
At this point, you may be curious to learn how much managed IT services might cost your business. If so, use our Kelser pricing calculator to get an instant, no-obligation estimate.
If you’ve done your research and are interested in speaking with someone about CMMC compliance or other IT concerns, click the button and one of our IT experts will respond promptly to see how we can help you address your IT issues.