“Is my IT ready for CMMC?”, “Where does my team need to start?”, “What’s part of getting IT-ready for compliance?”
We’re hearing these questions more frequently as CMMC rolls out. To prepare businesses for this new certification, we’re sharing insider knowledge.
CMMC is a hot topic across our clients and prospects right now. The general consensus is IT isn’t 100% ready for this. With our current clients, it’s become a big part of our annual technology roadmap to help get ahead.
And, we’re hearing from many potential clients that their internal IT departments or MSPs are behind and overwhelmed getting ready for this. Here’s what we see as the path to IT success for business with between 20 and 500 users.
- First – The Quick Background on CMMC
- The 4 Pillars For CMMC Compliance
- Consider This About CMMC
- The Good News With CMMC
- How Can We Help You?
First – The Quick Background on CMMC
The CMMC or Cybersecurity Maturity Model Certification is a Department of Defense undertaking that all government contractors must pass.
- Businesses without compliance risk losing government contracts and clients
- CMMC rollout begins in September and continues through the end of 2020
- The audit reviews cybersecurity hygiene at five different levels
- It can take up to 6 months to 1 year to become compliant
- Proper cybersecurity hygiene is key to passing compliance
Why Do Businesses Care Now?
Unlike past compliance certs, the CMMC can cost businesses real money.
A common issue we see is overwhelmed IT. Whether it’s in-house IT or an outsourced provider, many users report backlogged projects and slow support.
Now add CMMC to the mix. IT isn’t going to improve unless a solid foundation is built. Here’s what to do.
The 4 Pillars For CMMC Compliance
In our line of work, we see a broad spectrum of compliance steps towards CMMC. We took a few minutes to summarize the key components that set the stage for successful CMMC compliance.
Businesses that build IT around defined and accepted standards are better prepared for CMMC. Standards are the foundation for any secure IT environment. Having well-established standards positions businesses better for the audit. This includes:
- Assessing the current IT environment for weaknesses (try PEN testing)
- Aligning IT with the standards outlined in the different levels of CMMC and identifying gaps
- Having a living roadmap – updated regularly– to review progress
- Documentation of the standards in place and on the roadmap
IT operational maturity is key to building a solid IT foundation for CMMC compliance. In organizations that are closer to (or meeting) CMMC compliance we see a strong focus in the following areas:
- An established ITIL service delivery process
- Strong change management processes (plan, test, deploy, QC)
- Well defined user support roles (help desk, desktop support)
- Well-documented networks & support knowledge
For CMMC compliance especially, cybersecurity is a critical component. When building a solid IT foundation, businesses include the following cybersecurity protocols:
- Strict tracking & reporting
- Secure data encryption
- Admin access monitoring & management
- Thorough background checks on all personnel
- Two-factor authentication user management
A top issue for IT departments is execution. The ability to start, finish and adjust projects is slowed by a lack of resources. We see businesses drowning in IT issues because no one has enough time or support. The signs of IT burn out are:
- Working long hours/weekends
- No bandwidth to start projects
- Start projects but can’t finish
- 4,000 loose ends
When IT is burned out, the certification will be an even bigger hassle. The solution is bandwidth – time and space to focus on getting compliant.
For many businesses, extra bandwidth comes from outsourced IT. Where could your business use a boost?
Planning → Testing→ Execution → Quality Assurance → Formal Project Closure
Consider This About CMMC
If it seems like the DoD is taking CMMC more seriously than past certifications, like NIST SP 800-171, it’s because they are.
In fact, CMMC came about because NIST standards weren’t strong enough alone to stop major security breaches. Take these three recent examples:
- Access to Virginia government contractor sold by Russian cyber criminals
- “Team Snatch” demands ransom; leaks contractor information on the dark web
- DISA data breach exposes personal information of 200,000 people
The Good News With CMMC
Businesses can prevent these incidents with strong cybersecurity hygiene and a solid IT foundation. It starts with a second opinion from a trusted IT source. When businesses have an unbiased picture of their IT strengths and struggles, improvement can begin.
If you’re unsure about your current IT strategy around CMMC, we may be able to help get you on the right track. Let’s talk about it.
How Can We Help You?