DoD CMMC Compliance
Over the next few years, the Department of Defense will phase-in a new set of cybersecurity standards for doing business with the department: The Cybersecurity Maturity Model Certification (CMMC). Former Acting Secretary of Defense Patrick Shanahan said that the intention of CMMC is to standardize cybersecurity requirements, and raise cybersecurity to be “the fourth critical measurement” of contractors’ proposals next to quality, cost, and schedule. The establishment of the CMMC means that contractors will need to redouble their efforts, and verify, beyond trust, that their (and any subcontractors’) cybersecurity efforts conform with new policy. Key CMMC tenets and points include:
The Five Levels of CMMC Certification
- Level 1 – “Basic Cyber Hygiene”
– 17 NIST 800-171 Rev 1 controls - Level 2 – “Intermediate Cyber Hygiene”
– 46 NIST 800-171 Rev 1 controls - Level 3 – “Good Cyber Hygiene”
– Final 47 NIST 800-171 Rev 1 controls - Level 4 – “Proactive”
– 26 NIST 800-171 Rev B controls - Level 5 – “Advanced / Progressive”
– Final 4 NIST 800-171 Rev B controls
Best CMMC Compliance Solution
In conforming to standards, companies may consider working with IT consultants to ensure compliance. Rizkly offers a lower, controlled cost and guided compliance service to simplify your CMMC compliance efforts. Rizkly compliance advisors are highly experienced in helping SMBs achieve compliance with cyber security frameworks such as NIST 800-171, GDPR/CCPA Data Privacy, and SOC2. Rizkly, powerful cloud SaaS application and expert advisory combined, enables you to address the important dynamics associated of CMMC:
CMMC combines various cybersecurity standards and best practices and maps these controls and processes across several maturity levels that range from basic cyber hygiene to advanced
Certification at one of the five CMMC levels required by a DoD project will be appear in RFP L&M sections, becoming a “bid/no bid” decision point
Certification will be performed by accredited third party, private sector assessors
All DoD contractors (prime and subcontractors) have to achieve Level 1 certification at a minimum
No POAMs allowed. If you cannot adequately address a practice for a given level, you will not certify at that level.
CMMC with Rizkly
The establishment of CMMC indicates DoD’s increasing focus on contractor cyber security. Partnering with Rizkly provides you with a expert advisor that defines and prioritizes compliance tasks along and a powerful software application so you can demonstrate compliance at a reasonable price.
CMMC Compliance Software: A collaborative cloud application providing access to all CMMC 1.0 (and NIST 800-171) requirements for levels 1 thru 5. You manage control ownership, tasks, evidence collection, policies, procedures and implementation status. Learn more about Rizkly CMMC features here.
CMMC Compliance Advisory: Assistance with compliance tasks through checklists and suggestions tailored to your project. Streamline collaboration between team members and consultants through multiple channels of communication: chat, email, phone
Tasking and Tracking: Assign ownership and access compliance status with a few clicks. Users receive alerts when it’s time to review controls or attach evidence
CMMC Compliance Audit Documentation: One-click creation of audit-ready documentation such as System Security Plans (SSP) and Incident Response Plans (IRP) reduces the time and effort needed to create, review, and maintain compliance documents, letting you focus on implementing security, rather than documenting it
Third-Party Assessor Access: streamline CMMC assessment and certification efforts with secure 3rd-party auditor access to appropriate information in Rizkly. Learn more about all of the features that make Rizkly the perfect CMMC solution here.
Demonstrate your company’s CMMC compliance status with Rizkly.
Need More Information?
CMMC Learning Resources
Register for NIST and CMMC Updates
Rizkly experts will advise, guide and review hardware and software technology changes to ensure that they address specific compliance controls but we do not perform the actual implementation work. Over the years, we have a developed a trusted ecosystem of partners who offer effective and affordable solutions to expedite remediation of security and compliance gaps. We will gladly refer you to appropriate partners if and when the need arises. Creating policies, procedures and other artifacts are also a key part of compliance remediation efforts and these are activities that our advisors do perform using powerful Rizkly features for policies and procedures.
Rizkly cybersecurity compliance advisors will work with you through the entire lifecycle of your compliance initiative. We will scale up/down depending on specific need, and we co-create our involvement in the early stages of the project. Typical project activities include:
- Gain an understanding of your business, your clients, your system(s), and your anticipated compliance requirements
- Educate your team members on compliance requirements, how to leverage the Rizkly app and what will be expected throughout the effort
- Develop the system ‘boundary’, and what will be in scope for compliance purposes
- Draft a system architecture diagram that clearly depicts the system boundary
- Review existing documentation and work with your team members to understand system and process specifics
- Perform a high level gap assessment to determine what controls are in place and operating effectively, and where there are gaps
- For each gap determine a detailed plan of action to remediate
- Collaborate as needed with personnel (staff and/or your vendors) during remediation.
- Provide advisory support, develop documentation, design controls, review evidence, audit prep, etc.
- Ensure that all artifacts and control implementation statements are effectively captured in Rizkly
- Educate your team on how to leverage Rizkly to generate audit-ready documentation such as SSPs, POAM reports and SPRS scoring
- Post-remediation ensure that all controls are in place and operating effectively
