Leaning into CMMC as it Evolves Works

By Eric Noonan • April 19, 2022

Right now, many organizations are struggling to make sense of the recent information released regarding the evolution of the CMMC standard, specifically the retirement of version 1.0 and the introduction of revision 2.0. After reviewing the new materials, the question becomes, “What do I do now?”.

One important thing to remember is that regulations have always been shifting to meet the ever-changing business, threat, and security landscapes. In fact, before CMMC, companies needed to adhere to NIST 800-171, and before that DFAR’s 252.204-7012. Because of the constant stream of acronyms and the resulting confusion, most companies have either given up trying to understand it all or have enlisted professional support to help meet the evolving requirements.


Past experience applies to today’s challenges

Before I founded CyberSheath, from around 2008 through 2012, I was the Chief Information Security Officer for BAE Systems. At that time, compliance with the emerging cybersecurity guidance was voluntary. Within the company, we struggled with how to approach it since it was not required, but it was a legitimate national security issue that our board cared deeply about.

As one of the eight largest defense contractors, we joined our colleagues at the Pentagon, where the Deputy Secretary of Defense said in a classified briefing that we all needed to stop foreign entities from infiltrating our computer networks and stealing our intellectual property. The meeting called upon defense contractors to do their patriotic duty and safeguard the data entrusted to our care. The government also wanted industry to start sharing threat information and report cybersecurity incidents. Many of the largest prime contractors actively resisted the idea of sharing information with the government feeling their companies either might be put at a competitive disadvantage or that they were better equipped and better informed about cyber security matters. I recognized early on that resistance was futile, eventually this was going to be mandated and more importantly I sincerely believed this was a matter of national security. We leaned into the effort to improve our defenses, share information and be a good partner to our largest customer, the United States government.

We started down the path of meeting the cybersecurity standards as they were introduced. Even though it was voluntary, nobody was compelling us to participate, and there were no penalties, we simply decided that actively supporting this emerging public, private partnership was the right thing to do. I was blessed with an executive leadership team and bord that were ahead of their time in making cybersecurity a board level issue, a rarity at the time.

In many ways, my journey then parallels where the defense industrial base is today as they ask, “Do I ignore this until the government figures out what they want to do? Or is there some kind of playbook I can follow to get this done?”


Moving forward with CMMC 2.0

With CMMC 2.0, defense contractors can take a similar approach in a way that’s both cost-effective and smart. As a company, you will have to implement and comply with a construct that’s probably going to change over the next two years¬—but there are foundational steps that you can take now that will continue to make sense in the future, regardless of how things progress.

For example, we know NIST 800-171 is the law of the land and that is not changing. One good option would be for your company to fully implement NIST 800-171. If you are not sure where to begin, start with an assessment so that you understand how far out of compliance you are currently. The requirements outlined in the NIST standard represent good cybersecurity hygiene controls and any work you do to meet those requirements is going to pay dividends as you look to secure and maintain government contracts and ultimately full compliance with CMMC.


Looking to the future

It’s obvious that cybersecurity is going to become more important and mandated for federal contractors. So, if you are a federal contractor, there is minimal risk in embracing NIST 800-171 and a lot of upsides. Ultimately whether you work with DoD, DHS, NIH, or the Department of Agriculture, there’s going to be some level of minimum requirements—and they’re probably going to map back to a NIST standard.

The best partner to help you follow the rules is the one that helped write them. At CyberSheath, our executives have been involved in development of the first and every version of DoD cybersecurity initiatives since 2008. If you need any assistance navigating the cybersecurity standards and applying them to your business, contact us.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO