Complying With Regulatory Standards For Data Privacy And Data/Cyber Security (Fourth In A Series)
June 25, 2020
By: Jason L. Ott, Derrick L. Maultsby, Jr., and Adam Zaccari
Throughout this blog series we have communicated that the global COVID-19 pandemic has not halted compliance for two major regulatory provisions affecting hundreds of thousands of businesses – The California Consumer Privacy Act (the “CCPA”) and the Cybersecurity Maturity Model Certification (the “CMMC”). In this final blog post of the series, we will delve deeper into how your organization can take the necessary steps to comply with these regulatory standards.
How to Comply with CCPA
How to Obtain CMMC
First and foremost, there is no self-certification. Your organization must work with an accredited and independent third-party commercial certification organization to request and schedule the CMMC assessment. Your organization is responsible for specifying the level of the certification required based on your specific business requirements. Once satisfied that your organization demonstrates the appropriate data control and organizational maturity, the third-party assessor will grant certification at the appropriate CMMC level to your organization. Once you obtain certification, the level will be made public; however, details regarding specific findings will not be publicly available. The DoD will only see your certification level.
Your organization should begin planning for you certification at least 6 months in advance of your anticipated start date of any DoD contract. It may help to engage with a CMMC-AB trained professional for guidance and prep work (if needed). To schedule, you need to go to the CMMC-AB Marketplace to find an available C3PAO, and that C3PAO will assign a Certified Assessor. All C3PAO’s must be ISO 17021 certified and adhere to a Code of Professional Conduct. The CMMC-AB will then review your assessment with Quality Auditors. Your organization then has up to 90 days to resolve any findings with your C3PAO. From there, your CMMC Certification Level is issued, and is valid for 3 years.
Jackson Kelly is committed to providing knowledgeable counsel to help our clients navigate these pending requirements. We have partnered with SecureSky, a leading cybersecurity firm specializing in helping companies meet compliance demands while improving their security posture. Jackson Kelly and SecureSky actively engage with industry leaders that provide technology, tools, and resources enabling companies around the globe to ensure compliance in all facets of business, specifically including the ever-growing world of data privacy and security regulation. All of us at Jackson Kelly, and SecureSky hope that you found this series to be valuable as your organization embarks on this journey. Stay tuned for more to come from us as we dissect the legality inside of the cybersecurity industry.