Seek an Experienced Partner to Build a Roadmap for Department of Defense Cybersecurity Compliance
Managing the changes to HIPAA and monitoring enforcement dates can be a full-time job. Determining whether practices and processes are compliant is just one step in the process. Additionally, the need to understand how to fix potential violations is crucial to avoid substantial monetary penalties and bad public relations. The risk becomes more complicated when contracting with the Department of Defense and their updated cybersecurity requirements.
What is the Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) is a 3-tiered security framework put in place by the Department of Defense (DoD) to protect sensitive data from cyberattacks, as specified in NIST SP 800-171. Any contractors that wish to do business with the DoD will need to gain at least a level 1 certification to be eligible for future contracts.
Per the Office of the Under Secretary of Defense, “Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.” As a rule, all other contractors may instead have third-party conduct the assessment.
With the NIST 800-171 requirements, you can generate a Supplier Performance Risk System (SPRS) score on the scale of -203 to +110. Doing your own assessment seems like an easy and economical way to gain access to DoD contracts. But are self-assessments a good idea with these large and sensitive projects?
“Just because a contractor is secure, doesn't mean the contractor is compliant.”
- Bob D. Ashcraft, CISA, CRISC, CGEIT, CSSA, CDSPE, PA
The Risk of Self-Assessment with CMMC
Let’s start with a real example to help you understand the potential impact of doing a self-assessment without a comprehensive evaluation method. Bob D. Ashcraft, CISA, CRISC, CGEIT, CSSA, CDSPE, PA, lead regulatory advisor with CMMC Solutions and partner of CompliancePro Solutions, shared a story about a company (who we will refer to eponymously as Anonyzine) who self-assessed their cybersecurity risk.
Anonyzine regularly used the DoD Assessment Methodology (NIST SP800-171) checklist and reported a score of 108 out of 110 points, an extremely impressive score. CMMC Solutions came in to Anonyzine and performed the assessment using best practices and a proprietary assessment tool and determined their score was actually -31.
A company who, in good faith, tried to self-assess their exposure had multiple undetected violations. With the third-party assessment however, Anonyzine was left with a lengthy mitigation list to improve their cybersecurity risk under CMMC. Potential fines for the current business practices could have been up to $50,000 per violation.
“Just because a contractor is secure, doesn't mean the contractor is compliant,” said Bob Ashcraft, “However, to be compliant, the contractor must be secure. Every gap is a potential security risk.”
While not all self-assessments will be this dramatic, the need for unbiased assessment of your firm’s network infrastructure and security practices is paramount.
Working with a Trusted Partner for CMMC Assessment
While self-assessment can strengthen overall security to determine your company’s cybersecurity risk, using a professional, in connection with a reliable assessment tool, can help companies combat regulatory scrutiny and reduce their risk.
Companies who recognize the experience, resources, and methodology of choosing an outside vendor have three options:
- Large firms. A large firm likely have someone specifically knowledgeable about CMMC assessments but can be very expensive and time consuming.
- Small firms. Smaller firms can be good at applying their blanket assessment, but do not usually assist with the education and sustainability of best practices.
- Dedicated risk partner. The best option is to look for a risk partner who is an industry leader in security and compliance, able to assess you and your clients’ compliance needs specific to their business, and can ensure a sustainable, long term compliance foundation is built.
Under the partnership of CMMC Solutions, Compliance Pro Solutions, created a customizable evaluation tool that can quickly modify to fit individual clients’ compliance needs. Not all businesses are the same and the assessment process needs to be flexible enough to be able to evaluate the hundreds of controls in different environments.
No matter which path you choose for your risk assessment needs, one thing remains the same. Be secure. Seek a professional who will become your compliance and security partner to ensure your company is HIPAA compliant and can help build a solid foundation to avoid future risk.
To find out more about how CompliancePro Solutions can assist in your security and compliance needs, please visit our Cybersecurity Maturity Model Certification page.