Whether you're evaluating IT providers or satisfied with your existing firm, one important question to ask is if they are CMMC certified. According to the Office of the Under Secretary of Defense for Acquisition & Sustainment website, the "Cybersecurity Maturity Model Certification (CMMC) framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain."
It was developed to enhance the protection of controlled unclassified information (CUI) within the Department of Defense (DoD) supply chain. Even if your business is not in the DoD supply chain, this is important for you to be aware of, as it is the enforcement of ever-maturing cybersecurity standards that will result in contracts being awarded based on continuing to meet stricter cybersecurity standards.
From the website:
- "The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
- The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
- Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level."
Is your IT firm a CMMC Registered Provider Organization?
Registered Provider Organizations in the CMMC ecosystem are authorized as familiar with the basic constructs of the CMMC Standard to provide advice, consulting, and recommendations to their clients. They are the “implementers” and consultants but do not conduct Certified CMMC Assessments.
As a registered CMMC provider, Thriveon helps clients by guiding and implementing the policies, controls, and evidence needed to meet ever-maturing cybersecurity standards.
As cybersecurity continues to evolve, so does the need for strategic guidance. That’s why for the last 19+ years, Thriveon has deployed an approach that proactively eliminates IT risk and supports business growth.