The Cybersecurity Maturity Model Certification (CMMC) builds upon the foundation of DFARS/NIST 800-171 but adds new flexibility for small businesses to ease their way into compliance. This is important because the CMMC requirement is expanding to many new types of contractors and subcontractors encompassing numerous different industries from A/E/C to manufacturing. The best part about the new CMMC: It’s basically free!
Most other providers will assess your organization to identify where you’re not meeting compliance requirements but offer little to no guidance on how to actually solve the problem, let alone implement the solutions. Not only do we perform an extensive assessment, we engineer a custom plan that we then follow to remediate all the areas that were falling short of compliance.
We also custom-developed our artificial intelligence (AI) and automation platform to deploy many of the CMMC technical requirements automatically, eliminating countless labor hours to implement the changes manually like most others, and allowing us to get you up to speed far more quickly and for less cost.
Digital Boardwalk has spent over a decade serving regulated industries from healthcare to financial services. So, cybersecurity and compliance were not new focuses by any means.
When the DFARS/NIST 800-171 rulings came out in 2017, many of our existing clients needed assistance meeting the new requirements. These rules also meant that Digital Boardwalk had to comply with the same requirements. After a year of extensive development of our management and cybersecurity platforms, we launched a ground-breaking approach to the NIST 800-171 objectives that allowed us to deliver a solution to customers for a fraction of the cost they were quoted from competitive providers. We also applied the same technologies and automation to our own organization, forcing us to use the same solutions and follow the same workflows as our government contractor/subcontractor clients.
Unlike other providers who strictly focus on a one-time engagement to assess your current level of compliance or implement some changes and walk away, we engage with you in an ongoing relationship. We work with you to provide daily support, the necessary mechanisms for ongoing compliance, and a complete technology team including CIO, CISO, security operations center (SOC), incident response team, change management team, and help desk.
As your compliance partner, we also help you adopt new technologies and requirements over time as the CMMC evolves and your pursue higher levels of the CMMC, and important factor in winning higher-value government contracts.
We perform a full technology and network discovery to determine the current state of your environment with respect to the CMMC requirements. We then design a custom technology and risk mitigation plan, including a detailed budget, to meet the objectives of your desired CMMC level over time.
We implement a strategic and comprehensive set of cybersecurity solutions from an Intrusion Prevention System to automated incident response. We layer on just the right set of solutions to satisfy your desired CMMC level while having flexibility to add more layers as you pursue higher CMMC levels in the future.
As with most regulatory compliance mandates, the CMMC requires thorough documentation of your policies and procedures, which can be an overwhelming task for any business starting from scratch. We provide a comprehensive set of formal written policies that you can quickly modify and implement into your organization.
Only some of the CMMC requirements can be achieved through technology. The rest require your team follow formal procedures that are oftentimes brand new. For this reason, we help you implement CMMC requirements well ahead of your certification, so your organization has time to adapt to the changes.
In 2017, the final rule for the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 went into effect, which required Department of Defense (DoD) contractors and sub-contractors to implement various cybersecurity measures to protect Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
The biggest hurdle of this rule was compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-171. This compliance requirement was comprised of over 100 individual cybersecurity requirements covering everything from access control to physical handling of protected documents.
Most contractors/subcontractors, now subject to these cybersecurity compliance requirements in order to bid on future government contracts, weren’t remotely close to being compliant. Upgrading infrastructure and hiring cybersecurity professionals would cost hundreds of thousands, which was ultimately out of reach for many businesses.
Another shortcoming of the previous rules was they were attestation-based, meaning there was no independent verification that contractors/subcontractors were compliant with the requirements.
In response to challenges surrounding compliance with DFARS 252.204-7012 and NIST SP 800-171, The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) set out to develop a tiered compliance strategy that would allow contract officers to base the level of compliance upon the types of information handled in the contract.
With five different maturity levels, the CMMC allows contractors/subcontractors to build up their cybersecurity maturity level over time as they pursue contracts with increasing exposure to CUI/CDI. Additionally, the CMMC will allow contractors/subcontractors to expense their costs to achieve compliance against the awarded contract, essentially making it free.
The Cyber AB is still actively developing the CMMC 2.0 and all the processes that will surround obtaining a certification.
Certified Third-Party Assessment Organizations (C3PAO) will ultimately be responsible for conducting assessments of Defense Industrial Base (DIB) companies to certify their compliance with a CMMC level. The Cyber AB is working diligently to train and prepare the entire ecosystem of CMMC professionals in advance of the requirements. Organizations currently working with the government and seeking certification are already required to comply with the DFARS/NIST 800-171 objectives and should not wait for the CMMC certification requirements to begin preparing.
"Be wary of experts who claim they can guarantee compliance. They cannot. Until the CMMC is fully developed, focus on DFARS/NIST 800-171 compliance as it is still law and the foundation upon which the CMMC is being developed." -The CMMC-AB.
The first voluntary CMMC 2.0 assessment is scheduled for August, 2022. DOD officials have said they anticipate an interim final rule for CMMC to be issued by March 2023.
For more information on the projected timeline and for status updates, please refer to the Cyber AB website: https://cyberab.org/
The DFARS/NIST 800-171 compliance objectives established in 2017 are still law and must be adhered to today. When C3PAO’s are officially ready to begin their assessments, Organizations Seeking Certification (OSC) will need to provide evidence of past performance and compliance with the objectives. This means that OSCs must not wait and should begin implementing the security controls as soon as possible if they haven’t already.
Since compliance requires a significant amount of change within the organization, involving both technology and process changes, OSCs should plan on a minimum of 12 months to implement all the changes. The technology changes can often be completed within 6 months, but the people and process changes can take far longer depending on how well the organization adapts to change.
Absolutely! We’ve helped many contractors attest to compliance with the DFARS/NIST 800-171 requirements, the foundation of the CMMC. Contact us and we’ll be happy to provide references.
No. As a Cyber AB RPO, our role is to help you prepare for certification by implementing all the required technology changes and providing the ongoing I.T. and cybersecurity management required to continue meeting the certification requirements over time. As the CMMC evolves over time, so do the solutions and services we provide you to ensure you continue to meet your technical compliance requirements.