By now, anyone in the US Department of Defense supply chain should know about the new Cybersecurity Maturity Model Certification (CMMC). Knowing what to do about it is something else.
The goal of CMMC is to utilize five maturity levels, ranging from Basic Cyber Hygiene to Advanced/Progressive cyber practices, to ensure information protection in the defense supply chain. A contractor’s maturity level will be used as a requirement for contract award.
While a unified cybersecurity standard for DOD contracts has been needed for quite a while, the CMMC went through proposal, development and enactment in just one year. That leaves hundreds of thousands of government contractors scrambling to get prepared for upcoming certification audits―or risk losing important business.
It’s a heavy lift, with 17 security access control domains included in the model, which is based on the NIST 800-171 and 800-53 standards. According to DOD’s Katherine Arrington, the leader of the CMMC initiative, the requirement will start showing up in DOD Requests for Information as of June.
The CMMC audit process is not yet finalized, but it should be within the next two to three months. That means auditors, consulting companies and advisory firms who plan to conduct pre-assessments and execute audits must be preparing today according to the certification requirements the DOD published at the end of January. Privva is already configured to help you do this.
Rather than each auditor building its own cumbersome process where audit questionnaires, customer responses and supporting documentation will all be handled through email, Privva streamlines and accelerates audit management through a platform that is:
Scalable: You can send automated certification questionnaires to all of your clients with one click. Privva becomes a force multiplier for your staff, allowing them to focus on actual auditing work and supporting customers;
Centralized: Manage, track, and communicate with your clients on a single platform that offers rich dashboard and reporting capabilities;
Secure: Utilize Privva as a secure method of documentation, data transfer and communication for all CMMC-related interactions. It’s much safer than email and provides a verifiable audit trail as well.
Current: We’re already fully configured for DOD-published requirements. As those may be refined for the final iteration, we’ll quickly modify our highly adaptive platform with no additional effort needed on your part.
With Privva, your clients can easily respond to certification questions, validate which CMMC controls they've met, upload proof or provide comments. For example, if they’re asked about having an information security policy, a client can respond that they have one and upload the policy document to the Privva platform. Or they may attest that they have a policy, but add a comment that it is not formally documented.
Since all client data is in one place, you can also apply top-level-to-detailed analytics and tracking of risk objectives through a standardized evidence-based reporting structure. These insights will help identify trends in strengths and weaknesses across the entire supply chain.
The advent of CMMC marks a significant change for many businesses, especially small to mid-sized, who provide products and services important to our national defense. As auditors prepare for this new and complex requirement, Privva offers a unique opportunity to start the process right. Streamlining CMMC auditing and certification will help more companies complete this critical process and accelerate the digital security of our critical defense infrastructure.
Schedule a time to talk discuss how Privva can help you review your DoD clients.