February 14, 2023
You are a federal contractor. You already know that you need to become Cybersecurity Maturity Model Certification (CMMC) compliant to do business with the Department of Defense. The problem is, you’re not sure how or even where to start. Good news: This is one of the many ways a managed security service provider like Rimstorm can help. We have years of experience with the DoD and the expertise required to understand complex government policies. We can help your organization with each level of CMMC compliance so that come inspection time, you’ll pass.
CMMC 2.0
In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.
In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance DIB cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
What level of CMMC do you need?
CMMC means large changes in compliance requirements facing DoD contractors and subcontractors that won’t be able to be implemented at the last minute. CMMC certification levels range from Foundational (Level 1) to Expert (Level 3). At a minimum, any company handling Controlled Unclassified Information will be required to meet the requirements of Level 3. To achieve Level 3, a government contractor must fulfill all of the practices and/or controls specified in the NIST 800-171 standard, along with all of the additional practices outlined in the CMMC 2.0 framework.
If you are a DoD contractor or subcontractor and want to continue to do business with the Department of Defense, you must adapt now. So, while panicking will do you no good, you obviously can’t wait on this, either.
How can MSSPs help with CMMC?
How can you prepare for these certification requirements? A managed security service provider can take a whole lot off your plate, and that’s where we come in. Rimstorm can help you prepare for your CMMC audit in a number of ways.
One important first step is a gap analysis through our CMMC Cybersecurity Review. We will identify deficiencies and provide recommendations to obtain the desired level of certification. We will detail all gaps in your processes and/or controls required to achieve CMMC certification. This report will also make recommendations on how to correct these deficiencies. If desired, we can also help fill in the gaps through managed security services and other cybersecurity services.
CMMC compliance is definitely not something you want to put off. We understand how overwhelming it can seem, and we also recognize that you would rather be focusing on the primary aims of your organization. But it needs to be done if your organization is to continue doing business. Let us help you get this out of the way so you can focus on that which is most important to you, while simultaneously taking a strong security posture.