Kaseya has updated its compliance management tool for businesses subject to the federal government’s Cybersecurity Maturity Model Certification (CMMC) process.
The CMMC is designed to help contractors and subcontractors that serve the Department of Defense on weapons-related projects protect “controlled unclassified information” (CUI). Every member of the Defense Industrial Base, a collection of over 300,000 organizations that contribute to the design, development, production, delivery, and maintenance of weapon systems, subsystems, and components, will be required to obtain the CMMC and clear a third-party audit by October 1, 2025.
As an interim step that went into effect on Monday, those companies must now perform a self-assessment proving that they are correctly applying the 110 security controls defined in the government’s NIST SP 800-171 rule. The new release of Kaseya Compliance Manager for CMMC guides defense suppliers through that process, automatically scores their compliance using the DoD’s proprietary scoring rubric, and generates the System Security Plan that contractors are now required to upload to the Pentagon’s Supplier Performance Risk System.
“The impact of the DoD’s new interim ruling has sweeping consequences. Every contractor and subcontractor who does business with the DoD must perform the NIST (SP) 800-171 compliance assessment using the DoD’s scoring methodology if they want to continue doing work with 7019/7020 clauses,” said Max Pruger, general manager of Kaseya’s compliance practice, in prepared remarks.
“Performing and documenting the required self-assessment is a tremendous undertaking that most SMBs are not equipped to do on their own. As such, MSPs have a unique opportunity to help these businesses perform their interim assessments, and prepare for their CMMC third-party audit at the same time. With Kaseya Compliance Manager for CMMC, MSPs can collaborate with their clients to manage the compliance process, offer remediation services for vulnerabilities found during the self-assessment, and provide evidence of compliance for the third-party auditor.”
When fully put into effect, CMMC will include five progressively more rigorous levels that suppliers must qualify for based on the specifics of their DoD contract. Kaseya partners can use Compliance Manager for CMMC to assess a customer’s readiness to complete the third-party auditing process for each of those levels.
The product currently supports level 1 and 2 assessments. Support for level 3 assessments is set to arrive in the first quarter of 2021.
MSPs who serve clients with CUI will in some cases be required to obtain the CMMC themselves. According to Kaseya, such firms can use the new Compliance Manager for CMMC release to assess their own use of NIST SP 800-171 guidelines.
“Kaseya Compliance Manager for CMMC is purpose-built to automate the rigorous cybersecurity assessment and documentation process outlined by the DoD so that SMBs and MSPs can proactively ready themselves to bid for these highly competitive contracts,” said Pruger in his prepared remarks.
In addition to CMMC, Compliance Manager offers modules for meeting HIPAA, GDPR, and cyber insurance policy requirements. A module for assessing compliance with standards in the NIST Cybersecurity Framework as well arrived early this year.