By now, you have seen the acronym CMMC and may be wondering what it means for your company - this article should help. We are going to explain what an IT Service Provider can do for your company and how they will allow your business to focus on what it does best.
CMMC is the acronym for the “Cybersecurity Maturity Model Certification” and it is the Department of Defense’s approach to ensuring cybersecurity compliance standards are upheld throughout its supply chain These new compliance standards can cause a considerable amount of extra work for the approximately 350,000 suppliers, contractors, and businesses who are part of the supply chain for the U.S. Department of Defense, or the DoD.
While it’s understandable that there needs to be reform when it comes to the sensitive information that is stored in the IT systems of companies throughout the DoD’s supply chains, the actual implementation of these extra security measures can be difficult for smaller businesses.
There are five different maturity levels within CMMC. To be certified, you will have to have a third-party audit that will assess your true cybersecurity capability at your company. This fall, there will be a roll-out that requires new contracts only to accept bids from companies that have passed their audit.
With everything else going on, implementing this can seem entirely overwhelming. However, contracts are at stake, so your business must be ready for these third-party audits. Here is where you have an opportunity for a managed service partner to help.
RELATED: How to perform an IT Gap Analysis
A small DoD supply chain partner may not even know how to begin implementing the practices that are required to satisfy the CMMC requirements. Larger businesses will probably have no problem doing this as they have the means and resources to have state-of-the-art cybersecurity already. These larger companies likely won’t need any outside assistance to meet the standards of the new requirements.
However, big companies are such a small part of the DoD’s supply chain. It is estimated that 99% of the supply chain is composed of small businesses. These companies have less than $100 million in revenue and have an average of 11 employees. If this sounds like your company, then you are the type of business that can benefit from using a managed service provider to provide your cybersecurity.
Small businesses typically need more assistance with user authentication, vulnerability assessment, software patching, network defenses, and Security Information and Event Management (SIEM). Small to medium-sized companies also are likely to have slow response times to cyber attacks.
So, how will the smaller companies prepare for CMMC? Some prepared companies started outsourcing their cybersecurity needs back in 2019 to qualify for the new standards set by NIST. These third-party services can be a lifeline to small businesses that simply are not prepared to take on these new challenges by the Fall of 2020.
If this sounds like the position you and your company are finding yourselves in, we are here to help. Here are the questions you need to ask third-party service providers when you are deciding which one is going to be the best fit for your unique situation.
While this one may sound like a no-brainer, many third-party service providers are getting up-to-snuff themselves. While they may have everything set and ready to go by the Fall of 2020 - it is best not to risk the potential longevity of your company by taking a gamble on a provider that isn’t yet meeting compliance standards.
You are going to want to work with a third party that has their ducks in a row and knows what they are doing. The best ones are meeting many of the new guidelines anyways - as they are one of the companies that have set the standard for these new requirements.
It is important to remember that managed services providers are becoming the hottest target for ransomware attacks. So it is more important than ever to verify that the third-party provider you choose has the appropriate levels of security to protect your information from cyberattacks.
RELATED: Why You Need a MSP That Knows NIST 800-171 Compliance
When you are hiring a third-party provider, it is never a bad idea to call up the references they provide and ensure that they have done the level of work that is required when it comes to your unique business needs.
With over 350,000 individual businesses making up the DoD supply chain - not everyone is going to have the same needs or nuances. The partner you choose must have experience with companies that operate in a similar way to yours to ensure they will have a good handle on what work needs to be done.
You want the third-party provider that you choose to guarantee that they are going to be there and stand by their work when it is time for your third-party audit. The audit is a crucial step to CMMC certification - which will determine if you will be able to score new DoD contracts. If the managed services provider you are interviewing just wants to implement and walk away - don’t hire them. You want the partner you choose to be confident enough in their work to show up on audit day and ensure that everything is the way that it should be.
While this depends on the type of data you have access to based on your contract with the DoD, many kinds of data should only be accessed by employees who are living in the United States or are citizens.
If the IT service provider that you are interviewing has the bulk of their workforce in another country - this may not be a safe option for you. This is incredibly common, as information technology jobs and work centers are often based in other countries, such as India.
While this information may not apply to you based on the sensitivity of the data that you are working with, it is best to make sure that there won’t be any conflicts with the types of data and the employees of the Managed Services Partner.
Here is where you need to get into the nitty-gritty. The IT Service Provider’s systems, as well as the systems they are paying to use, must be CMMC certification appropriate. If they are not, they are not going to be an excellent third-party partner for your company to use.
When you are interviewing these partners, make sure that you are familiar with all of the requirements so that you can spot potential weak spots during the interview and ask clarifying questions whenever it is necessary
Knowing what questions to ask potential IT Service Providers as well as knowing what to look for are crucial as you take this step with your company. The DoD has already warned that there are plenty of businesses that are claiming to be able to help with CMMC certification when, in reality, they do not have the experience or qualifications to do so.
Because this is such a new system, it is going to be difficult to delineate between friend and foe. However, while you may not be able to implement the correct IT infrastructure to adhere to CMMC yourself, you should be able to use the questions above to get a good baseline if a partner is going to do good work for you or not.
RELATED: What's the Real Cost of Bad Security Compliance?
Currently, the test is not completed yet. Certification will not begin until the Fall of 2020 - and even this could be delayed due to the issues surrounding the COVID-19 global pandemic. Nevertheless, any company that claims to be able to certify you on the spot right now is misleading you, and it is best to cut all communications with these potential partners.
This issue is so prevalent and dangerous that the DoD is sending cease and desist letters to any company that guarantees that they can get you certified - they simply cannot.
However, there are plenty of Managed Services Providers that can begin getting the new infrastructure and processes implemented in your company that will get you certified, eventually.
Be sure to look for a company that wants to partner with you over the long-term for insured success when the time comes - and you will be in good hands.
Karen Kiewski : Mar 10, 2021 10:00:00 AM
Modern businesses have to meet a lot of different regulatory compliance standards—and the specific standards they need to meet may vary depending on...
Mike Brattain : Jan 23, 2020 8:45:00 AM
Manufacturers in Michigan are facing a cyber threat they may not have considered. Large companies may begin to feel quite secure about cybersecurity....
Mike Brattain : Oct 15, 2020 9:00:00 AM
Remote work arrangements seem like they are here to stay, but are they feasible? Before the pandemic, only a handful of companies advocated for a...
Mike Brattain