There are 2 considerations you must evaluate when determining if your current IT support will suffice for the requirements of a CMMC certified environment. First, will your IT support staff be in-scope of your CMMC assessment? What I mean is if you have outsourced the maintenance of your computers to an IT company (or other actions), what will they say when the CMMC Assessor requests interviews with them as part of your CMMC assessment? There are many requirements that specifically define CMMC security practices to be done alongside normal IT procedures. Will your IT company know this and practice this themselves? With the amount of ongoing IT work needed to properly comply with CMMC requirements, you need to evaluate your IT provider as if they themselves were under the assessor’s magnifying glass. Which brings us to the second consideration: is your IT provider themselves prepared for the CMMC requirements? There has been no uncertainty from the CMMC authorities that the traditional Managed Services Providers (MSPs) that support Defense contractors will themselves need to seek out CMMC certification. There is simply no way to allow another company to hold “the keys” to your IT environment and not have them obligated to CMMC requirements. The reason you must adhere to CMMC is the same reason why they will need to: access to DoD information. Bottom line: if they aren’t actively working on their own CMMC preparation, you need to address the risk they will bring to your CMMC assessment.
Further reading from an authoritative source: https://www.dau.edu/events/Cybersecurity%20Maturity%20Model%20Certification
***
ABOUT TECH SAGE SOLUTIONS
Founded in 2000 by a retired Air Force Chief Master Sergeant, TechSage Solutions has had an eye for cyber security since it’s beginning. As the world of cyber security compliance standards has evolved over the past 20 years, CEO John Hill has always been mindful of what today’s regulatory environment calls for and what future needs will be. CMMC has been on TechSage Solutions radar for a while now because several of TechSage’s clients are DoD contractors and together, we’ve had to deal with NIST SP 800-171 requirements. For TechSage Solutions, CMMC is just another development in a world we’re already comfortable in. If your MSP has not discussed the current and future implications of CMMC for your organization, the time is now to consider what this lack or preparation will truly cost you. Industry experts have made it clear that organizations who are on the front of CMMC adoption will carry a competitive advantage in a highly competitive DoD contractor industry, so don’t wait to determine your organization’s plan. For further resources, please visit: www.myCMMCjourney.com or call 210-582-5814 and request the free guide for business owners and executives titled: “Planning Your CMMC Journey: 5 Questions You Should Be Asking”.”
