DoD CMMC 1.0 Spec Released! What are My Options?

By Chor-Ching Fan and David Hall

The DoD Cybersecurity Maturity Model Certification (CMMC) intends to be the new best way of ensuring that DoD Controlled and Classified information remains that way. All companies working with the DoD will have to ensure compliance from the outset: Certification level will now be a factor in procurement strategy, and a “go/no go” decision point for a company to bid. DoD Cyber Command has kept industry in the loop and has held open conversations and gathered feedback since introducing the first draft of CMMC May 24, 2019.  On January 31st, the DoD published the finalized 1.0 version of the CMMC certification requirements, completing a critical milestone in the rollout of mandated cybersecurity standards. If CMMC is the new rules for the road, its time to get moving. But how do you do so? Where do you turn?

CMMC certification has created a bit of an industry alongside it. Partially due to its scale, the policy framers have decided upon third party certification in order to decentralize and hopefully speed up the certification process. These organizations will be trained and approved by the CMMC accreditation body to certify defense contractors’ compliance with CMMC requirements. What are the options for CMMC compliance look like though? Companies with limited budgets and without internal security compliance departments  can either A., expand roles and responsibilities of existing staff and prepare themselves internally; B. turn to consultants for full service engagements; or C. take a hybrid approach, using a CMMC compliance tool together with an expert advisor who guides companies through what has to be done and ensures that you progress towards timely certification.

 

 

 

Companies choosing Option A (going it alone with internal resources) will likely face challenges understanding the latest CMMC v1.0 detailed specification which is over 300 pages of compliance standards, examples, and instruction. While CMMC specification authors make the evaluation points as clear as possible, fully analyzing the document, creating a plan of action, and implementing that plan requires expertise and draws on staff time and energy.  If your team does not have the right expertise and experience, the process is more open to error and painful rework after external assessment.

Therefore, depending on your confidence level, you might consider outside help, or Option B.  Traditional consulting and advisory firms may be a good choice, and a good option if you do best working on an in-person basis. This also means you can hand off more of the nitty gritty work if you simply do not have the internal capacity. However, you are likely paying large sums for sequential assessment, remediation and documentation engagements with the possibility of cost and schedule overruns. We think the ideal solution is something in between— Option C., like Rizkly. Rizkly is a CMMC compliance solution that combines a SaaS application together with expert CMMC advisory designed to make the compliance process natural and easy to manage.

Features include:

  • Simple App for Cybersecurity and Compliance Management
  • Dashboard & Alerts
  • Custom or Standard Compliance Checklists
  • Secure Document Repository
  • Audit-Ready Document Generation
  • Advisor, Supplier and Assessor Login Access

Your included Rizkly advisor is ready to be called upon when you have questions or need help:

  • Dedicated vCO/vCISO with Deep Experience in NIST, SOC, and FedRAMP Controls
  • Conducts Your Initial Cyber or Gap Assessment
  • Explains CMMC Requirements and Helps You Create Policies
  • Regular Meetings and Ad-Hoc Assistance
  • Quarterly Reviews with You’re Leadership Team
  • Advisory Time is Included in Your Subscription Price

Whatever your confidence level, the time to act is now. With CMMC, DoD is proving how serious cybersecurity is to contractor performance in 2020, elevating it to the status of the “fourth pillar” of procurement decisions. One way or another, you are not alone in your CMMC compliance and certification pursuits—Rizkly is here to help. Reach out to us today, we’d love to learn more about your situation and share more about how we serve customers pursuing CMMC certification.