Greetings! In an effort to be more communicative as an organization, I’m hoping to create more content in this format which is written less as an article and is more conversational.
CMMC (Cybersecurity Maturity Model Certification) is finally upon us. We’re working through it with MSP’s and SaaS companies for the first time over the next several months on some Level 2 certifications. The main purpose of this note is to alert companies that the CMMC Level 2 prep can take up to a year, which is far more than what it takes to implement a SOC 2 or ISO 27001 complying security program.
The most difficult area to achieve compliance with is Configuration Management (CM) from our perspective. There are a few controls in several other areas, but the Config Management effort (to get right) is going to take some time. We’re hoping that C3PAO auditors will be relatively lenient in Year 1 with much more evidence around the monitoring controls being required in Year 2. We believe that the auditors will at least work with you on what needs to be improved as very few companies have applied the resources required to comply with the CM monitoring controls.
It is also important to note that there are some hardline “fails” like non FIPS-validated encryption within the in-scope infrastructure and some other basic blocking and tackling security controls, but you can get a 180-day window to remediate controls that don’t fall into the “high impact” risk category.
If you work with government contractor data, you’re going to have to comply. If you hold basic data like name and email, you likely will be able to get the cert under the Level 1 requirements which represent a much easier path to certification.
If you would like some help assessing your situation, please reach out via info@auditliaison.com, and someone on our team will schedule a call to provide guidance via a Q&A session.
All the best, Audit Liaison
