Southwest Portland, OR
Proudly serving Southwest Portland
You just want to make a great product but you keep getting more notices about IT compliance standards you need to meet. You know you need to meet the standards to sustain your business, but frankly, they’re a pain and they have nothing to do with what you make.
IT Assurance is your trusted CMMC compliance consulting services company in the Southwest Portland, OR area. When you partner with us, you will get your company certified and prepared for CMMS compliance audits. Contact us today for your CMMC compliance consulting service needs.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC), officially launched on January 31st, 2020, is the Department of Defense’s (DoD) newest prevention mechanism for cybersecurity controls and processes. CMMC is starting a new era of visibility and accountability for defense contractors from the security perspective.
In a nutshell, if your company has a DoD contract, then CMMC applies to you.
Here are a few critical changes we all need to pay attention to: CMMC aims to build upon the Defense Federal Acquisition Regulation Supplement (DFARS) and the National Institute of Standards and Technology (NIST) frameworks and will require every contractor to be audited and certified by a third-party auditor. Most importantly, by early 2021, the DoD will begin adding CMMC requirements to all new DoD RFPs, hence this certification will eventually determine whether you will be able to bid on a DoD contract.
Benefits of CMMC compliance
CMMC will create a new baseline that will ensure all contractors make meaningful investments in cybersecurity. As we face more cyberattacks and breaches against both government and private networks, it’s high time to tighten up the reins and implement CMMC requirements, which can be beneficial to all stakeholders involved.
CMMC is designed for a win-win outcome: It requires DoD contractors to achieve a designated cybersecurity level in order to qualify for contract awards. These standards are also designed to protect the networks of government contractors for the sector’s own benefits.
This certification will provide a new framework that helps a contractor with cyberattack preparedness and incident prevention. Even post-attack, CMMC would allow the contractors to recover faster so as to reduce associated penalization or financial loss.
The new model regulates five cybersecurity maturity levels of controls and processes that align with relevant policies. For example, Level 1 adopts the FAR 52.204-21 requirements, which all federal contractors must meet. Level 1 has 17 controls, all of which are basic cybersecurity measures that provide the minimum security any contractor should have already implemented.
Now, CMMC compliance can feel overwhelming with these different levels, controls and changes. But you’re likely more compliant than you think. In fact, many small- and medium-sized DoD contractors already possess CMMC Level 2 or 3 compliance, while large contractors are likely going to meet tiers 4 or 5 with ease.
Prepare for audits with CMMC compliance consulting services from IT Assurance
Right now, no company is authorized to perform audits yet while the CMMC is still in development. Audit providers have started the process to become an auditor, and they, in turn, are building a wait-list for audits starting in early 2021. Today, here’s what we can help you do to become CMMC compliant in preparation for the coming audits:
CUI questions to determine your security level
Most subcontractors won’t need the same security level as primes, but all DoD contractors will need to be CMMC security Level 1 compliant. If you manage controlled unclassified information (CUI) in any way, you have to meet at least CMMC security Level 3.
Perform a risk assessment
Our NIST 800-171 certified cybersecurity consultant will perform a risk assessment. This assessment will review your progress toward compliance with the NIST 800-171 controls and uncover the areas that are deficient. Our consultants will also conduct vulnerability scanning and penetration testing and will report their findings.
The rule of thumb is this: If you get certified for NIST 800-171 compliance, you are pretty close to CMMC levels 1-3 certification.
Write a systems security plan
This step involves providing details regarding your security status quo and any policies that are in place that guide your cybersecurity using a NIST template. In the case that any deficiency is uncovered, we’ll put together a POA&M (plan of action & milestones) as a part of the solution.
Prepare for incident management
We can help you make and keep a high-quality incident management plan and drill on it regularly. In case a security incident does occur, you are also expected to file a report to the DoD within 72 hours.
Follow up and continually improve
We’ll help ensure that your policies are achievable and measurable. If you state that you will keep all systems fully scanned and patched at all times, then you must do so. If you fail to patch a system and, in that time, a security incident occurs, it will count doubly against your firm for both the general failure and the violation of your policy.
IT Assurance is your local CMMC Compliance Company
In a nutshell, CMMC embraces a new collaborative risk management approach that will help all DoD contractors and clients alike to better manage cybersecurity risk.
With CMMC compliance requirements expected to go into effect by early 2021, it’s important for contractors to assess their current CMMC readiness. With IT Assurance’s CMMC compliance consulting services, we can help prepare you for the incoming CMMC audits. Contact us today to get started.