CMMC Compliance Implementation

Gap Assessors evaluate your current security posture in comparison to a compliance standard’s requirements. The assessor will report on where your business must improve to meet the necessary controls through a gap assessment.  The assessor will aid you in creating your SSP and Plan of Action & Milestones (POA&M). 

You can think of the Gap Assessor as a doctor. Let’s imagine you are an Olympic track athlete and you start experiencing pain around your foot. After the doctor investigates the area, he concludes that you have sprained your ankle. The doctor directs you to wear a boot, do physical therapy exercises, and take some medication that will help you in the healing process and get you back in the competition. 

MSPs, like Simple Helix, put into effect the tools needed to execute and operate your SSP. They also serve as ongoing support providers to ensure the implemented tools continue to meet your needs. Part of this includes ensuring the security features of these tools, such as a firewall or O365 licenses, remain functional and updated. 

Going along with our medical analogy in the Gap Assessor section above, we can think of the Managed Services Provider as your physical therapist. You could have done the exercises on your own but your an Olympic athlete and you can’t miss competition. You turn to the therapist thinking you’ll be better off under the care of an expert. The physical therapist recommends the best exercises (likewise MSP recommends tools) to promote the healing process. They even provide you with a boot to protect and stabilize your ankle (likewise MSP implements tools). Once you are healed, the physical therapist will be there as an ongoing support for you to ensure your ankle continues functioning in the appropriate manner. 

Where an MSP deals in implementation, support, and maintaining security within solutions and tools, an MSSP deals in security response. An MSSP focuses on forensic analysis, incident response, pen testing, and more security response activities. In the event of a breach, your MSSP will meet compliance by taking action against cyber crime and investigating why it happened.  

Continuing the medical analogy from the sections above, you can equate your MSSP to an at home healthcare provider. As an Olympic athlete, some people want to see you fail. The MSSP ensures the boot, medication, and other resources you have been given are not tampered with. 

C3pAOs evaluate and certify your business to the appropriate CMMC level. The C3PAO has the power to award or deny certification.

Like the Gap Assessor, the C3PAO can be equated to a doctor as well. However, this doctor is the doctor that will clear you continue competing in the Olympic games. This doctor gives you a check up after you have had time to follow the advice of the first doctor. This final assessment will either dictate you must continue the healing process or it will clear you to return to the Olympics.