CMMC Compliance Basics and Need to Know Information
CMMC (Cybersecurity Maturity Model Certification) is a standard that is being implemented across Defense Industrial Base (DIB). The standards are exactly what it sounds like, a framework that both effects the security of a company within its technical infrastructure as well as the business’ operational structure. These compliance standards address the issue that one of the Department of Defense’s (DoD) highest vulnerabilities is the civilian companies that support the DoD.
Who Will Need to Comply?
Any company that does business with the DoD (except for those handling COTS) will need to reach compliance, by compliance auditors’ standards, at one of the 5 CMMC levels. This standard will be enforced for primary contractors, subcontractors, and even suppliers to the primary contractors.
What Level Will I Need to Achieve?
The information for which level will need to be achieved will be directly in the contract requests. The theory is the level will be dictated by the sensitivity of the information handled in the contract. An evaluation of which level will be needed may be discussed with a consultant.
What is Our First Step?
The first step is to assemble your team to help your reach your compliance. In this team, you will need a Cybersecurity Consultant. CMMC is fairly new, however the frameworks of which it originates, NIST 800-171 and a few others, are not. Finding a Cybersecurity Consultant who is familiar with CMMC and has experience in HiTrust, SOC2, or Financial Compliance is important. This person should be knowledgeable to help with any questions or issues that may incur.
In addition, your team will need a Team Lead, or someone who is responsible for keeping the plan moving. This person will need to be detail-oriented, understand how the departments works together, and will act as a liaison for all the other members and the Cybersecurity Consultant, and later the CMMC 3rd party Auditor.
To complete your team, you will need Human Resources, Financial Lead, Operations Lead, and someone thoroughly knowledgeable about the IT infrastructure, including but not limited to the security roles within the organization and the data storage. In smaller organizations these roles usually will be shared. All roles just need to be accounted for.
What Can We Expect?
CMMC standards will be a series of standards and processes that will affect all departments within the organization. In structure, there will be standards placed in the IT infrastructure itself. There will also be processes and procedures that will need to be built, tested, taught to the teams, and then checks on if the processes and procedures are being followed. CMMC is not a one-time stamp, but a new way the business will need to operate moving forward.
What is the Timeframe to Compliance?
There are too many variables to know how long this process will take. Where did the company start, what level are they trying to achieve, how fast the company is prepared to move, and how effective they are at implementing new processes.
Hill Country Tech Guys has a history of working with clients toward their compliance needs, including ourselves. Internally, we have promoted Jared Vinson to Director of Cybersecurity, so he can focus his time, energy (and his Masters in Cybersecurity) to aiding companies in their security and compliance goals. His consulting hours work in a block hour arrangement but are filling up fast.