Healthcare Resolution Services is proud to announce that it has met the latest requirements for the Cybersecurity Maturity Model Certification (CMMC) Level 2. As a registered provider organization (RPO), HCRS has a long history of assisting federal, state, and local government organizations achieve their own CMMC compliance.
According to Brenda Doles, Principal of HCRS, the idea of CMMC has also begun to generate interest from those outside of the defense industrial base (DIB). “Certification may only be required for DoD contractors,” she noted, “but we’re hearing from businesses that don’t work directly with the government that still want to learn how to implement the same practices and procedures found in the CMMC framework. They want to do everything they can to protect their data, on behalf of their clients and for the sake of their reputations. And we know how to help them do that.”
CMMC in the News
CMMC saw an uptick in news coverage last year due to changes that the DoD put forth in its updated version, dubbed CMMC 2.0. These include consolidation of five maturity levels into three, allowing self-assessments for applicants to qualify for Level 1, and allowing C3PAOs (CMMC Third-Party Assessment Organizations) to certify applicants for Level 2. Reasons given for these changes were to make compliance with NIST SP 800-171 more streamlined, and to offer smaller contractors and organizations the means to obtain certification that was both reasonable and affordable.
Here is the current breakdown for each of the three CMMC levels:
- Level 1 (Foundational) has 17 cybersecurity practices, and requires annual self-assessments.
- Level 2 (Advanced) has 110 practices that are aligned with NIST SP 800-171, and requires self-assessments for select programs, as well as triennial third-party assessments for critical national security information.
- Level 3 (Expert) has 110 or more practices aligned with NIST SP 800-172, and requires triennial assessments from a government entity.
The DoD is expected to release its final rulemaking for CMMC 2.0 this March, then give organizations a 60-day comment period to provide feedback. CMMC requirements could start to appear in solicitations as soon as this comment period has elapsed.
HCRS Says “Don’t Wait” to Start CMMC Prep
For those that need or want to meet compliance, HCRS gives the same advice: schedule evaluations now so that they know what they need to do to prepare themselves for being audited. Updates cannot be rushed, which means it’s not a good idea to wait for the final rulemaking and comment period.
“Companies will need to perform gap analyses to identify what areas they’ll need to improve in order to meet requirements, and that takes time,” Doles says. “Then they’ll need to make a plan for how they’ll implement those changes, and how those changes will affect their internal resources, budget, and recruitment.”
Following a gap analysis, HCRS notes that:
- New technology may need to be purchased.
- Associated costs may be higher than anticipated.
- Positions within the organization may need to be created to implement and understand these changes.
- Training new employees for these roles and responsibilities will be essential.
What a Registered Provider Organization Can Offer
As a registered provider organization, HCRS can advise and assist businesses that are seeking CMMC compliance for Level 1 or Level 2. They do this by running gap analyses to identify strengths and weaknesses in current data infrastructures, establishing plans of action and milestones (POA&Ms) for needed changes, and providing mock assessments, full assessments, and remediation. HCRS cannot administer CMMC audits nor grant certification, but it can demonstrate what these will be like when performed by a C3PAO or government entity, and offer strategies that are feasible, affordable, and comprehensive.
Why Organizations and Contractors Need Better CMMC Preparation
Despite being mandated by the government, nearly 80 percent of DoD contractors may lack even two of the 15 basic cybersecurity requirements for CMMC. When contractors self-attest and are then found to be in error, they risk losing their current contracts, as well as face liability and debarment.
Organizations that do not require CMMC, but still wish to pursue certification, may find their reputations similarly harmed if their scores are inaccurate.
HCRS notes that companies that self-attest and identify requirements they cannot meet may still be able to substitute security measures that fulfill the same intent. HCRS can walk organizations through this process and share their knowledge on what sorts of substitutions are permissible.
Those interested in discussing these services and pricing are encouraged to contact HCRS through their website, or by phone at (301) 497-1187.
For 25 years, Healthcare Resolution Services has been helping businesses organize and protect their mission-critical data. Their status as a Cyber AB-certified RPO gives them the industry knowledge and expertise to ensure that applicants are in the best positions possible for securing CMMC compliance. HCRS also offers other vital data management services, including medical coding, medical record audits (non-CMMC), mortality reviews, clinical documentation improvement, core measures and medical record abstraction, as well as concurrent reviews and case management. Learn more about HCRS and its services here.
Originally developed in 2019, CMMC’s primary purpose has been to evaluate cybersecurity and protect government data, including controlled unclassified information (CUI). You can learn more about its history and updates on its new website.
About Cyber AB
Cyber AB “is the official accreditation body of the [CMMC] Ecosystem,” as well as the only non-governmental organization that has authorization from the DoD to “implement and oversee” compliance. It also authorizes and accredits C3PAOs so that they can perform CMMC assessments. Get a full overview of Cyber AB’s mission and offerings here.