Last Updated on September 16, 2020
For the many companies within the US Defense Industrial Base (DIB) that don’t yet have a cybersecurity program in place, compliance with the US Department of Defense (DoD)’s new Cybersecurity Maturity Model Certification (CMMC) framework might be a big leap—even to Level 1 (“basic cyber hygiene”), the starting point for any organization that does business with the DoD.
“Even in Level 1, the basic 17 practices, it kind of gives you that 2×4-upside-the-head moment of, ‘I haven’t even been looking at some of this stuff,’” says Chris Lank, Founder and CEO at Ivis Technologies, a SaaS compliance platform provider. Chris was our guest on a recent episode of The Virtual CISO Podcast, which focused on CMMC compliance hurdles for SMBs and how SaaS tools can help.
Chris and host John Verry, Pivot Point’s CISO and Managing Partner, discussed three ways that SMBs in the DIB can benefit from using a cloud-based compliance solution to help drive and maintain CMMC compliance:
One: Proving CMMC compliance
With the DoD’s current program of self-attested compliance with NIST 800-171, SMBs can quickly put together a System Security Plan (SSP) and a Plan of Actions & Milestones (POAM) based on a few spreadsheets or other ad hoc documentation. But with CMMC, you’ll need to provide an independent auditor with bona fide evidence that you have the mandated processes and practices in place.
“Anybody who’s done any type of auditing knows that they’re just not going to accept a spreadsheet from you,” notes Chris. “You’re going to have to know the ‘who, what, when where and why.’ … If I say I’ve done this practice or this process, I had better be able to show the documentation that goes along with it. I’d better be able to show the people who were involved. I have to show the training that we instituted, and that’s all got to be backed up with more than a spreadsheet saying, ‘Yeah, I ticked the box on that one.’”
With a SaaS-based compliance system, giving auditors the proof they need is as simple as showing it to them in the tool. Further, the tool can guide your team to create and organize all the necessary policies, procedures, milestones, etc. as they implement the controls.
Two: Maintaining ongoing CMMC compliance
CMMC compliance won’t be a “one and done” proposition for DIB companies. It requires continuous monitoring.
As Chris puts it, “They need to be looking at this as a cultural change within their organization, in which these are best practices. Think of it as I buy a car, but I never tune it up. Eventually something’s going to go wrong.”
“It’s the same thing for cyber security,” Chris adds. “We’re going to work hard to get everything we need in place. But then after we have our Level 3 certification… it’s not like we’re going to stop doing these things until the next time we have to be certified again.”
In Chris’s words, a SaaS-based compliance tool can “… make it so the next time you go for this, it’s not as painful. It’s not as hard.” For example, in the tool you can schedule the activities that are needed to ensure that everything you document actually occurs. As noted above, the tool also manages evidence of your activities to support recertification down the line.
“Once you’re over that [compliance] hill, that’s when the real work begins,” shares Chris. “A good GRC system is going to say, ‘Oh, listen, did you know it’s three months since the last time you’ve done this? You’ve got to do this.’ … A good system is going to keep you above the waterline and keep you moving in the right direction.”
Similarly, as John points out, “All this information is centralized in such a way that … from a manager’s perspective, having a single pane of glass, a single view and just say, ‘Are we okay? Or is my business going off the cliff because we failed to do something?’
Three: Supporting multiple compliance efforts
The best SaaS compliance tools are designed to be “program agnostic” to support multiple compliance efforts; e.g., CMMC, PCI, HITRUST and/or Sarbanes-Oxley (SOX).
“Our system is very agnostic,” Chris offers. “So we have a one-to-many thought process. You have one company but you have many different compliance programs and risk factors that you need to look at, and the system manages that.”
The right SaaS compliance solution can help SMBs implement, execute and report on their compliance and ethics programs to save time and effort and reduce associated risk. By providing an automated framework, a SaaS tool can simplify compliance processes and eliminate the need for manual spreadsheets and email-based approvals.
If your company will soon face a CMMC assessment, now is the time to look into automating key compliance tasks to streamline your preparations. Our podcast show with Chris Lank is an ideal deep-dive into CMMC compliance challenges and how a SaaS tool can help.