Update 10/15: The final CMMC 2.0 rule is here The Cybersecurity Maturity Model Certification has been officially published into the federal register as a final rule on October 15th. What does this mean for your organization? With this final rule, contractors must take immediate action to protect CUI and align with regulatory requirements! If your business needs guidance on navigating the complexities of CMMC 2.0, CorpInfoTech is here to help.
Prepping For CMMC
The Cybersecurity Maturity Model Certification (CMMC) has been a common talking point amongst contractors working within the Defense Industrial Base (DIB) and Department of Defense (DoD). Confusion surrounding what it entails, who it applies to, and when it will take effect have been prevalent since its first iteration in 2020. Since then CMMC has moved into its second version, consolidating the previous five levels into three. Now that the DoD has submitted their plan to the OMB, many organizations are asking themselves what they should do to prepare.
Where Does The CMMC Rule Stand?
Originally announced in 2020, CMMC has been delayed several times as the DoD has made changes and tweaked its implementation plan. In 2021 CMMC was given its second version that consolidated the five levels of maturity into three.
Since then, news surrounding when the CMMC rule would be sent to the OMB has been scarce. As of July 25th 2023, the Department of Defense submitted the proposed rule for the CMMC program to the Office of Management and Budget (OMB) and Office of Information and Regulatory Affairs (OIRA). This marks a big step forward in getting CMMC firmly planted as a compliance standard for thousands of organizations. From here, the OMB has 60-90 days to complete their review of the proposed rule.
Update 10/15: The final CMMC 2.0 rule is here The Cybersecurity Maturity Model Certification has been officially published into the federal register as a final rule on October 15th. What does this mean for your organization? With this final rule, contractors must take immediate action to protect CUI and align with regulatory requirements! If your business needs guidance on navigating the complexities of CMMC 2.0, CorpInfoTech is here to help.
Either way, CMMC isn't going anywhere and will continue to impact contractors sooner rather than later.
How Should Contractors Respond To CMMC?
Contractors are taking two different approaches to handling CMMC compliance. Many are choosing to "wait and see" how and when the CMMC rule is published. Depending on a companies current security configuration CMMC compliance can take time to prepare for and prove costly. This is why many contractors are waiting to make the big business decisions until the OMB decides to publish the rule.
Other organizations have chosen to proactively continue implementing their CMMC plans and having third-party assessments done to ensure that when CMMC is applicable, they are ahead of the curve. CorpInfoTech suggests taking the latter approach.
Contractors should also consider enlisting the help of a managed service provider (MSP) - CMMC Compliance refer to them as ESP, External Service Provider. An ESP can help reduce the overall cost associated with cybersecurity compliance and provide the technical expertise required to maintain compliance. However, it is important to note that your ESP will have to be CMMC compliant as well to offer you, their services. When choosing a partner, make sure they are capable of supporting your compliance needs.
The maturity levels of CMMC are built off of the NIST 800-171 framework and contain foundational security controls that your organization will be assessed on to determine your SPRS score. CorpInfoTech can conduct a comprehensive security assessment to determine whether or not your business will be compliant come audit time. This assessment can give you a better understanding of what your SPRS score will look like as well as give businesses an actionable plan for how to fix any gaps in their security. When it comes to compliance, being proactive is always the smartest choice.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
