A new tool that helps businesses assess their readiness for compliance requirements has been launched by security awareness training company KnowBe4.
The free-to-use Compliance Audit Readiness Assessment (CARA) tool lets users know in five minutes whether their cybersecurity is up to snuff. It works by asking a series of questions designed to help users identify potential gaps or deficiencies in their current cybersecurity preparedness initiatives.
Results are analyzed and a report is generated that contains customized guidance to help IT and cybersecurity professionals define what technical controls are required for a given scope to meet compliance.
KnowBe4 said CARA will prove useful for professionals who are adjusting to the introduction of new frameworks such as the recently instituted Cybersecurity Maturity Model Certification (CMMC). The CMMC is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), which includes over 300,000 companies in the supply chain.
“Compliance audits can be a real headache for IT and cybersecurity professionals, especially given that there are new frameworks coming out that they need to follow, yet little to no help is offered,” said Stu Sjouwerman, CEO of KnowBe4.
“CARA should help to make preparing for compliance audits far less painful.”
The web-based tool guides users through the CMMC Maturity Level 1 requirements for Basic Cyber Hygiene and asks them to rate their readiness for each requirement.
Users answer each question by selecting "Met," "Partially Met," or "Not Met" before receiving a readiness report.
On September 29, the Department of Defense published an interim rule that will implement the CMMC framework. The interim rule begins rolling out the CMMC requirements on November 30, 2020.
Some level of CMMC compliance will be required by virtually all contractors on all defense contracts by at latest 2025.
CMMC has five levels of compliance ranging from basic cyber hygiene practices being observed to the implementation of sophisticated capabilities to detect, defend against, and respond to advanced persistent threats.
Companies that fall short of the CMMC standards will not receive a fine but will instead be ineligible for certain contracts.