What do you think the CMMC (Cybersecurity Maturity Model Certification) will actually address?
Sort by:
The CMMC, while related to NIST guidelines, necessitates a thorough evaluation of your internal processes. This evaluation spans from a business perspective, focusing on the flow of sensitive data, to detailed IT controls.
The cost of achieving compliance may prompt the organization to assess the financial implications and determine the price to be paid by both the company and its clients.
Having met with more than 100 companies to discuss their CMMC journeys, the most significant value of CMMC is that it's encouraged DoD contractors and sub-contractors to take a good, hard look at their level of cybersecurity preparedness.
Specifically, CMMC Level 2 contractors are required to comply with 110 requirements that are aligned with NIST SP 800-171 v2, undergo third-party C3PAO assessments and provide an annual affirmation of their cyber-preparedness. Previously, contractors were subject to a less rigorous process that only required them to conduct self-assessments.
Finally, CMMC has encouraged DoD contractors to examine the level of security protection across their supply chains, which was a longtime area of weakness. Although no compliance mandate is perfect, CMMC does play an active part in protecting contractors from the growing risk of nation state-based attacks and insider data theft that could jeopardize national security.
Well put!
Thanks a million, David Cross for your kind words! We have seen many situations in which CMMC compliance has even prompted organizations to take a closer look at security protection in their "commercial" lines of business, as well.
Depending on your motivation, it can be valuable. If you are trying to migrate from corporate security to federal contracts or even into being a federal employee it would likely be very valuable. In particular for getting passed computer filters on resumes.
As with many certifications, standards, working groups, etc, do you really know how to apply it. Can you work and take actions based on what you learned? If the answer is yes, you will get ahead of the competition.
If it can address standardization of language, definitions of actions, processes and procedures it can help accelerate actions for defending our cyber assets. DFARS really didn't help us get better in my opinion. We spent time debating the best ways to be compliant more than taking concrete actions.
Just like trying to align your IT department with ITIL didn't suddenly make them the greatest service organization. CMMC isn't suddenly going to secure your company. The actions taken to truly move towards improved security posture it what is needed and sometimes high visibility programs like CMMC will help justify faster actions.
As with many certifications, they solve for a specific situation or requirement. But in general, their components should be used only as needed. Certifications can be overly cumbersome and create new issues beyond the ones it intends to solve. Ensure that you're clear on what and why you are using the different aspects...and the consequences of doing so. There are often tradeoffs.
I believe it's essential to see the bigger picture. Operating in the financial industry in Europe, where the Digital Operational Resilience Act (DORA) is mandatory, we are witnessing a significant shift in the mindset of companies within the financial domain and their third-party supply chains. This shift is expected to enhance the operational resilience of the entire sector.
Something similar is happening the US with the DoD and the CMMC.