Leaning into CMMC as it Evolves Works

By Eric Noonan • April 19, 2022

Right now, many organizations are struggling to make sense of the recent information released regarding the evolution of the CMMC standard, specifically the retirement of version 1.0 and the introduction of revision 2.0. After reviewing the new materials, the question becomes, “What do I do now?”.

One important thing to remember is that regulations have always been shifting to meet the ever-changing business, threat, and security landscapes. In fact, before CMMC, companies needed to adhere to NIST 800-171, and before that DFAR’s 252.204-7012. Because of the constant stream of acronyms and the resulting confusion, most companies have either given up trying to understand it all or have enlisted professional support to help meet the evolving requirements.

 

Past experience applies to today’s challenges

Before I founded CyberSheath, from around 2008 through 2012, I was the Chief Information Security Officer for BAE Systems. At that time, compliance with the emerging cybersecurity guidance was voluntary. Within the company, we struggled with how to approach it since it was not required, but it was a legitimate national security issue that our board cared deeply about.

As one of the eight largest defense contractors, we joined our colleagues at the Pentagon, where the Deputy Secretary of Defense said in a classified briefing that we all needed to stop foreign entities from infiltrating our computer networks and stealing our intellectual property. The meeting called upon defense contractors to do their patriotic duty and safeguard the data entrusted to our care. The government also wanted industry to start sharing threat information and report cybersecurity incidents. Many of the largest prime contractors actively resisted the idea of sharing information with the government feeling their companies either might be put at a competitive disadvantage or that they were better equipped and better informed about cyber security matters. I recognized early on that resistance was futile, eventually this was going to be mandated and more importantly I sincerely believed this was a matter of national security. We leaned into the effort to improve our defenses, share information and be a good partner to our largest customer, the United States government.

We started down the path of meeting the cybersecurity standards as they were introduced. Even though it was voluntary, nobody was compelling us to participate, and there were no penalties, we simply decided that actively supporting this emerging public, private partnership was the right thing to do. I was blessed with an executive leadership team and bord that were ahead of their time in making cybersecurity a board level issue, a rarity at the time.

In many ways, my journey then parallels where the defense industrial base is today as they ask, “Do I ignore this until the government figures out what they want to do? Or is there some kind of playbook I can follow to get this done?”

 

Moving forward with CMMC 2.0

With CMMC 2.0, defense contractors can take a similar approach in a way that’s both cost-effective and smart. As a company, you will have to implement and comply with a construct that’s probably going to change over the next two years¬—but there are foundational steps that you can take now that will continue to make sense in the future, regardless of how things progress.

For example, we know NIST 800-171 is the law of the land and that is not changing. One good option would be for your company to fully implement NIST 800-171. If you are not sure where to begin, start with an assessment so that you understand how far out of compliance you are currently. The requirements outlined in the NIST standard represent good cybersecurity hygiene controls and any work you do to meet those requirements is going to pay dividends as you look to secure and maintain government contracts and ultimately full compliance with CMMC.

 

Looking to the future

It’s obvious that cybersecurity is going to become more important and mandated for federal contractors. So, if you are a federal contractor, there is minimal risk in embracing NIST 800-171 and a lot of upsides. Ultimately whether you work with DoD, DHS, NIH, or the Department of Agriculture, there’s going to be some level of minimum requirements—and they’re probably going to map back to a NIST standard.

The best partner to help you follow the rules is the one that helped write them. At CyberSheath, our executives have been involved in development of the first and every version of DoD cybersecurity initiatives since 2008. If you need any assistance navigating the cybersecurity standards and applying them to your business, contact us.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.