The Cybersecurity Maturity Model Certification (CMMC) builds upon the foundation of DFARS/NIST 800-171 but adds new flexibility for small businesses to ease their way into compliance. This is important because the CMMC requirement is expanding to many new types of contractors and subcontractors encompassing numerous different industries from A/E/C to manufacturing. The best part about the new CMMC: It’s basically free!
Most other providers will assess your organization to identify where you’re not meeting compliance requirements but offer little to no guidance on how to actually solve the problem, let alone implement the solutions. Not only do we perform an extensive assessment, we engineer a custom plan that we then follow to remediate all the areas that were falling short of compliance.
We also custom-developed our artificial intelligence (AI) and automation platform to deploy many of the CMMC technical requirements automatically, eliminating countless labor hours to implement the changes manually like most others, and allowing us to get you up to speed far more quickly and for less cost.
Digital Boardwalk has spent over a decade serving regulated industries from healthcare to financial services. So, cybersecurity and compliance were not new focuses by any means.
When the DFARS/NIST 800-171 rulings came out in 2017, many of our existing clients needed assistance meeting the new requirements. These rules also meant that Digital Boardwalk had to comply with the same requirements. After a year of extensive development of our management and cybersecurity platforms, we launched a ground-breaking approach to the NIST 800-171 objectives that allowed us to deliver a solution to customers for a fraction of the cost they were quoted from competitive providers. We also applied the same technologies and automation to our own organization, forcing us to use the same solutions and follow the same workflows as our government contractor/subcontractor clients.
Unlike other providers who strictly focus on a one-time engagement to assess your current level of compliance or implement some changes and walk away, we engage with you in an ongoing relationship. We work with you to provide daily support, the necessary mechanisms for ongoing compliance, and a complete technology team including CIO, CISO, security operations center (SOC), incident response team, change management team, and help desk.
As your compliance partner, we also help you adopt new technologies and requirements over time as the CMMC evolves and your pursue higher levels of the CMMC, and important factor in winning higher-value government contracts.
We perform a full technology and network discovery to determine the current state of your environment with respect to the CMMC requirements. We then design a custom technology and risk mitigation plan, including a detailed budget, to meet the objectives of your desired CMMC level over time.
We implement a strategic and comprehensive set of cybersecurity solutions from an Intrusion Prevention System to automated incident response. We layer on just the right set of solutions to satisfy your desired CMMC level while having flexibility to add more layers as you pursue higher CMMC levels in the future.
As with most regulatory compliance mandates, the CMMC requires thorough documentation of your policies and procedures, which can be an overwhelming task for any business starting from scratch. We provide a comprehensive set of formal written policies that you can quickly modify and implement into your organization.
Only some of the CMMC requirements can be achieved through technology. The rest require your team follow formal procedures that are oftentimes brand new. For this reason, we help you implement CMMC requirements well ahead of your certification, so your organization has time to adapt to the changes.
In 2017, the final rule for the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 went into effect, which required Department of Defense (DoD) contractors and sub-contractors to implement various cybersecurity measures to protect Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
The biggest hurdle of this rule was compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-171. This compliance requirement was comprised of over 100 individual cybersecurity requirements covering everything from access control to physical handling of protected documents.
Most contractors/subcontractors, now subject to these cybersecurity compliance requirements in order to bid on future government contracts, weren’t remotely close to being compliant. Upgrading infrastructure and hiring cybersecurity professionals would cost hundreds of thousands, which was ultimately out of reach for many businesses.
Another shortcoming of the previous rules was they were attestation-based, meaning there was no independent verification that contractors/subcontractors were compliant with the requirements.
In response to challenges surrounding compliance with DFARS 252.204-7012 and NIST SP 800-171, The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) set out to develop a tiered compliance strategy that would allow contract officers to base the level of compliance upon the types of information handled in the contract.
With five different maturity levels, the CMMC allows contractors/subcontractors to build up their cybersecurity maturity level over time as they pursue contracts with increasing exposure to CUI/CDI. Additionally, the CMMC will allow contractors/subcontractors to expense their costs to achieve compliance against the awarded contract, essentially making it free.
The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is still actively developing the CMMC and all the processes that will surround obtaining a certification.
Certified Third-Party Assessment Organizations (C3PAO) will ultimately be responsible for conducting assessments of contractors/subcontractors to certify their compliance with a CMMC level. The CMMC-AB aims to have C3PAOs trained and certified to begin assessing organizations by late winter/early spring of 2021. Organizations working with the government and seeking certification should have their systems ready for assessment in order to earn their certification and begin bidding on contracts as soon as possible.
"Be wary of experts who claim they can guarantee compliance. They cannot. Until the CMMC is fully developed, focus on DFARS/NIST 800-171 compliance as it is still law and the foundation upon which the CMMC is being developed." -The CMMC-AB.
The CMMC Accreditation Body (CMMC-AB) plans on training and certifying Certified Third-Party Assessment Organizations (C3PAO) during the winter of 2020/2021. Commercial assessments will become available in the winter/spring of 2021. You will be able to select one of the approved C3PAOs from the CMMC-AB Marketplace and schedule a CMMC assessment for a specific level at this time.
For more information on the projected timeline and for status updates, please refer to the CMMC-AB website: https://www.cmmcab.org/
Whether you currently hold contracts with the government or you wish to start working with the government, becoming compliant with the CMMC requirements is not something that will happen overnight.
In order to be compliant by the accreditation go-live in winter/spring 2021 and begin bidding on contracts, we strongly recommend you begin focusing on complying with these requirements now so you can expedite your certification process.
This ultimately depends on how quickly your organization adapts to change. Agile businesses oftentimes incorporate all the changes in 4-6 months, while organizations more reluctant to change can take 1 year or longer.
Absolutely! We’ve helped many contractors attest to compliance with the DFARS/NIST 800-171 requirements, the foundation of the CMMC. Contact us and we’ll be happy to provide references.
No, nobody can at this time. Since the CMMC Accreditation Board has not yet finalized CMMC Assessor Training or any of the other processes required for certification, it is inappropriate for any person or organization to claim they can provide a formal CMMC assessment that will meet the requirements.