We speak with many IT Managers each week who are seeking to be compliant with NIST SP 800-171 with a goal of becoming CMMC Certified. One of the recurring themes we see are that IT Managers are often tasked with a complex task which is to explore a major IT system change such as virtualization or moves to cloud services at the same time they are seeking to become compliant with one of these standards or achieve CMMC Certification.
Small business owners and IT Managers have a lot to consider when they have a goal of compliance and proper cyber hygiene. Many are not aware that decisions regarding how their system is setup could actually create extra expenses and excessive spending if they choose the wrong solution. As an example, many of the people we speak with are not aware that Microsoft has directly stated that Office 365 Commercial does not meet the requirements of DFARS 252.204-7012 compliance requirements because it does not meet FedRAMP Moderate standards.
As a company that operates as both a cyber security focused Managed IT Service Provider (MSP) and an Information Security Compliance Consultant the choice of what to focus on first leaves many decision makers with a big question: What should I focus on first?
Our answer is always the same: The safest way for any company to proceed is to focus on understanding compliance first. The reason for this is that NIST SP 800-171, DFARS 252.204-7012, and CMMC Certification have specific controls that dictate what types of solutions and services should be in place. In addition for cloud service providers there are special rules and requirements if they will be handling CUI or CTD or CDI. Our advice: Get the compliance understanding first before you spend money on IT changes that may not work for you later.