Mike Riggs

Mike Riggs
on September 1, 2020

Compliance 101: CMMC has entered the chat

Compliance 101: CMMC has entered the chat

Me: “Okay Google, define CMMC.”

“CMMC is an acronym for Cybersecurity Maturity Model Certification.

Definition: a four-letter word that can strike anxiety into the hearts of those who support DoD contracts and Defense Industrial Base (DIB) organizations.”

Okay, maybe my internet-connected home assistant doesn’t define it like that – but it can certainly feel that way. But there’s good news: with the right help, it doesn’t have to be an anxiety-inducing topic. CMMC exists as an evolution of cybersecurity defense needs for those who work with the government – and as a managed service provider, even if you don’t have Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on your network, you still have CMMC requirements if you support DIB customers.

Previously, NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) was one of the cybersecurity frameworks for nonfederal systems to ensure there was a list of controls to adhere to. However, due to the self-certification nature of NIST 800-171 and varying security postures resulting from its disorganized adoption, CMMC was born. CMMC is an audited certification framework that expands on the great guidance that 800-171 laid out and holds DIB companies accountable to their cybersecurity posture.

99% of DIB companies (estimated to be around 72,000 companies) average around 11 full-time employees (FTEs) according to the RAND Unclassified and Secure report. This poses a unique resource and compliance challenge for managed service providers and their customers as you walk with them along the CMMC adoption and maturity journey.

Things to know

There are some basics to CMMC that you need to know, not only in supporting your clients but also in ensuring your own business can effectively support your DIB clients.

  1. Know your requirements: There are 17 capability domains across the 5 maturity levels. These capability domains cover your entire cybersecurity process, but don’t let this scare you. CMMC compliance is a maturity journey and you may find that you’re already doing several things that help you meet compliance at varying maturity levels across the board.
  2. Know your stack: Focus on your platforms and process as well – as a managed service provider, your DIB clients (and their auditors) expect that your technology platforms and company processes match what is expected of them. Do you leverage 3rd party services that could include non-U.S. persons? If so, you may be in jeopardy of not being able to support your DIB customers. You need to ensure that there are no potential conflicts with non-U.S. persons accessing systems that may impact your DIB customers.
  3. Know how to support: Be prepared for audit support. You’re the IT systems expert for your DIB customer and their auditors will have questions about their environment, how it is managed, and what you’re doing to ensure CMMC controls compliance with the environment.
  4. Document everything: I know this seems silly, but documentation of how systems are configured, how support is performed, what your organizational procedures are, and when things were fixed or changed are all important in ensuring your DIB clients can be confident in your ability to support their IT needs.

So, how does Perch help with your CMMC mapping anxiety?

Perch’s co-managed SIEM and threat detection, backed by a 24/7 Security Operations Center (SOC), can help you gain maturity across the following domains, ensuring you have a solid start on your CMMC journey:

  • (AC) Access Control
  • (AU) Audit and Accountability
  • (IR) Incident Response
  • (SA) Situational Awareness
  • (SC) System and Communications Protection
  • (SI) System and Information Integrity

For detailed mapping information, you can access the Perch + CMMC mapping guide here.

You can leverage our modern SaaS architecture to rapidly adopt the security visibility and response required for your organization and the organizations you support. Learn more about adopting Perch in your organization here.


We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Customer Use Case: Mosaic Medical

Share this on:

Mike Riggs

Mike Riggs
on September 1, 2020


Perchy Subscribe to our blog