Cybersecurity Maturity Model Certification is coming. Are you ready? It’s understandable with 5 levels adhering to many existing NIST standards to feel a bit overwhelmed about whether your business can meet the financial and policy obligations. Last Thursday’s panel moderated by WhiteHawk’s CEO and founder Terry Roberts however should quell any fears. Implementing CMMC at the appropriate level can be easy and will be beneficial to your business in the long run.
The panel began with Terry Roberts being introduced by Dan Turissini; SPYRUS Chief Technology Officer and representative for AFCEA. Roberts then turned it to the panel for introductions and their perspective on CMMC.
Perspective on CMMC
Kelley Artz is the Enterprise Risk Management Professional with government and industry experience servicing GSA for government perspective on this panel. Artz brought a lot of this perspective in her opening remarks which highlighted GSA’s relationship with CMMC and described CMMC’s purpose and structure in detail.
- GSA plays heavy role in CMMC support, education, and awareness along with other supply risk management initiatives proposed by the federal government.
- “We see security as a foundation which underlies cost, schedule, and performance”.
- CMMC levels can be visualized as “crawl, walk, run”.
- Information Operation Analysts (IOAs) audit key contracts to provide a third-party assessment and third-party assessments have existed in GSA for a long time.
- Artz advocates the nation and specifically the defense industrial base to move in the direction of supporting and implementing CMMC compliance.
Mike Raeder is the Director of Information at Northrup Grumman delivering the CISO perspective in CMMC with his remarks. They highlight both the purpose and potential of CMMC.
- CMMC has built upon previous attempts; taking what works and learning from lessons learned to build a new environment. All for a flexible cybersecurity model that moves; as our adversaries and risks change.
- It achieves this in a way that gives flexibility to the entire defense contracting industry as a whole
- “Great opportunity for us to do better” but not without addressing all the questions we have about implementing across industry“
Chris Cummiskey serves as a consultant at Cummiskey Strategic Solutions and at Virginia Polytechnical Institute and State University’s Hume Center; giving a multifaceted perspective from Government, Academia, Industry, and as a Cyber IT professional in his highlights.
- Cummiskey mostly works on homeland security and justice side of issues
- Opportunity is presented to strengthen cybersecurity functions both across the DIB and the supply chain itself
- Challenges occur in a system like this with partitioning major systems through which information needs to be secured and which are unclassified
- Cummiskey advocates to go slow and keep small businesses subcontracted to larger businesses in mind as they seek to comply across the defense industrial base
Janey Nodeen started at NSA as intelligence professional and is now serving as president for Burke Consortium Inc. Her perspective was also multifaceted from government and from an SMB perspective in her highlights.
- Government has built foundation “layer by layer like an oyster shell”
- CMMC provides an amazing opportunity to bring together a whole DoD approach solve this and implement as a whole government approach
- CMMC requires effort, but from a SMB perspective the benefit outweighs the cost by far
- Nodeen hopes SMB owners walk away knowing there is a path for success, and it won’t be hard to accomplish
Following those introductions Roberts lead the panel in engaging and relevant questions that can serve as guidance for CMMC preparation.
What should each supplier be responsible for?
- (Gov) Responsibility for primes is to provide a supply chain response plan
- (DoD) Share information with private sector to eliminate gaps in learning
- (SMB) Communicate with supply chain early and often. Do gap analysis to understand where critical investments are most needed. CMMC is designed to help this. Work with your primes and associations that already have guidelines in place
- (Small Businesses) Learn what it means to do your job, review policies and procedures often, and take that “craw, walk, run approach.” Don’t over think it.
- The auditor clearly needs to know what compliance all is about and where among the business each responsibility lies
How moving forward should CMMC be evaluated in RFPs?
- When we try to recognize there are requirements that weren’t initially in the contracts you may see updated rollouts adding new standards and requirements
- When dealing with major policy changes it is important to engage with industries. GSA does this through section 889. Model could also work in CMMC
What are the areas you think we could use existing capabilities to help automate on ramp for CMMC?
- Opportunity for vendors or providers to look at existing capabilities, map them across control set, so that it’s obvious to consumers how their investment gets them where they want on a compliance level.
- The easier you make this for a company, the better overall compliance and cyber hygiene will be
- Look at advance computing capabilities such as AI and Machine Learning to enhance and modernize telecommunications backgrounds
- This is where we need to go with CMMC- having a continuing automation process to eliminate backlogs and enable businesses to navigate where they fall on a maturity level
Can CMMC help us to hone what governance risk and compliance we need to be doing or does it multiply what we should be doing? How can we leverage CMMC to get to a better place?
- The government is at a point where companies cannot self-certify causing the need for third party auditing to protect our country from risk
- Important to set in place a nation whole of government response to cybersecurity similar to actions taken against COVID19. There is more that can be built on this model.
- Iterative process to get any business to any level they desire before spending money to be audited
- Learning opportunities for contractors, assessors, and federal government to close gaps and make everyone better off and with less uncertainty
Closing remarks: Ray of hope to those concerned about CMMC
- There is a huge ray of hope. No need to panic and no need to spend a lot of money until determining how certification will be useful for your SMB.
- Understand your situation, business model, employees, what where and how things are being handled, and how this would work for your business BEFORE running off to get self-certified.
- Take a deep breath but don’t wait for CMMC, be proactive with a thoughtful approach in understanding where your gaps are.
- As you plan out your budget look at where the most effective ways to spend your money in compliance are.
- This is an important step for a collective improvement in cyber hygiene.
- This certification is just one tool in our toolbox. It’s not a perfect tool but it is one we can use.
- We cannot ignore this force anymore and must take a useful way to implement compliance.
- CMMC is an example of government working
- Opportunity to enhance cybersecurity and protect our national security.
Terry Roberts concluded the panel with her own remarks stating:
- “I see CMMC as a huge opportunity.” Adversaries are only growing, and we don’t have a sense to what is threatening SMBs as the vast majority isn’t being reported.
- “It’s not if CMMC it’s how and how to fast track it”
All panelists agreed, a methodical approach and a commitment to CMMC will make it easy to implement and effective when implemented.