Cybersecurity Maturity Model Certification

Enforced Compliance and Security Requirements for Government Contractors

Konica Minolta is continuing to stay on top of the latest updates and changes being made to the Cybersecurity Maturity Model Certification (CMMC) program. As of December 26, 2023, the Department of Defense (DoD) has released a proposed rule to establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) Program, implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.

DoD currently requires covered defense contractors and subcontractors to implement the security protections set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171 Rev 2 to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status, including any plans of action for any NIST SP 800–171 Rev 2 requirement not yet implemented, in a System Security Plan (SSP). The CMMC Program provides the Department the mechanism needed to verify that a defense contractor or subcontractor has implemented the security requirements at each CMMC Level and is maintaining that status across the contract period of performance, as required.

Server Management

Konica Minolta is a CMMC Registered Practitioner Organization (RPO)

The New DOD Proposed Rule for the 32 CFR ensures accountability for companies that implement cybersecurity standards while minimizing barriers to compliance with DoD requirements. Significant changes have been made in efforts to streamline the certification process. As a Registered Practitioner Organization (RPO), Konica Minolta has Registered Practitioners (RP), Certified Information System Auditors (CISA), and CMMC Certified Professionals (CCP) ready to support organizations seeking assessment (OSA), and organizations seeking certification (OSC) through the CMMC process.

Compliance Deadlines

In the proposed rule, The DOD anticipates by 2026, all defense industrial base (DIB) contractors will need to become certified with CMMC through a Certified Third-Party Assessment Organization (C3PAO). Most Ecosystem members of the CyberAB estimate it will take between 12 – 18 months to prepare for a CMMC assessment. Which is why the time is now to prepare.

How to prepare for CMMC

Help you identify the flow of FCI/CUI and create the system boundary diagram with asset scoping.

Perform a CMMC Level Conforming Practice gap assessment against the Standard (FAR 52.204-21, NIST SP 800-171r2, etc.)

Help you develop NIST 800-18 Conforming System Security Plan (SSP) and Plan of Action & Milestone (POA&M) to address gaps.

Support POA&M activities recommendations and remediation, and updates to SSP and policies to align with the CMMC.

Help you establish evidence of conformance over a 3-to-6-month period to ensure habitual, and persistent behavior and operation of the Information Security System.

Perform Certification Readiness Assessment by identifying artifacts that prove objective evidence of conformance and filling out the CMMC Assessment Process (CAP) required documents.

Help you identify a reputable C3PAO and support your CMMC Assessment.

Konica Minolta adheres to the following process to get Organizations Seeking Assessment, & Compliance (OSA) & (OSC) on their journey.

Our RPO Capabilities

As an RPO, our capabilities are unparalleled even to C3PAOs. We are not governed by the same restrictions and have a lot of the same expertise and information. Since we do not perform your actual certification assessment, we are free to consult and prepare you with the most appropriate solutions to meet the needed requirements and objectives. We can “hold your hand” through the process, and work with you as needed to keep your program operational in non-certification years.

Why Can’t an OSA or OSC prepare for a Certification Assessment Using a C3PAO?

The C3PAO is very limited in the services they can provide to an OSA or OSC. They risk a “conflict of interest” when providing consulting or recommendations to OSAs or OSCs. Since they are tasked with providing you with the certification, they can’t give you the answers. This is where an RPO comes in. We are in considerably better position to implement your controls or provide you with inherited controls that can be documented into your system security plan, and ultimately serve as your required alignment. Please reach out to our team for more info.