Those of us in the IT world have deep knowledge of cybersecurity and understand the importance of safeguarding our systems, data, and intelligence from outsiders and nefarious entities. And as members of the defense industrial base, we know that compliance with NIST 800-171 and CMMC is required to continue doing business with the DOD.
In your organization, chances are it has been a challenge to convince the C-suite to take compliance with these mandates seriously. How do you convince the higher-ups at your company to commit to complying with these requirements and add a line item for compliance to your company budget?
Align CMMC with other compliance initiatives.
Any business understands compliance as it touches so many functions within a company. Think adhering to hiring and termination procedures for HR, meeting exacting specifications for manufactured parts for engineering, and complying with Sarbanes Oxley for finance. Use this knowledge to your advantage and tell the story of CMMC through the lens of compliance. Make compliance with this standard a business decision rather than a technology, licensing, or cost discussion.
Getting started on your compliance journey will mean measuring where you are and understanding where you need to be to become fully compliant. Knowing the answers to these questions helps address how much CMMC compliance will cost and how long it will take.
Compliance for all functions is an ongoing journey and you are never really done. That means it’s also important to address the long term maintenance to make sure everyone understands the operations involved in ongoing CMMC compliance. This compliance initiative is persistent and ultimately becomes a forecastable line item in your budget.
Communicate that the risk of non-compliance stands in the way of revenue.
Potentially some contract that your business is uniquely skilled and situated to bid on and win might be at risk if you haven’t implemented the controls required with CMMC. Also, meeting the requirements of NIST 800-171 is good cybersecurity hygiene—it’s very practical and effective at protecting you against nation states.
For the next 24 to 36 months, CMMC compliance is truly a competitive discriminator because so much of the defense industrial base has not achieved compliance. All other things being equal, if a contracting officer is looking at your business and another business to provide a capability, and you’ve achieved compliance with a score of 110 that you’ve entered into SPRS, and they haven’t, you win that contract.
The cost of compliance ultimately becomes a cost of doing business with the government. At CyberSheath we have a solution that allows companies ranging from 10 employees to several thousand to make the cost of compliance far less than the business benefit. Organizations come onto our platform and achieve compliance. The cost is a known entity, tied to the 110 controls of NIST 800-171.
Share that executive level accountability is imminent.
Another part of CMMC that is going to be rolled out is executive level accountability. The DOD has said that a senior member of the executive team, such as the CEO or CFO, will have to go into the government data database, SPRS, and certify the results of your company’s assessment and attest to your compliance.
Requiring this action will drive a change in behavior. It will bring visibility to the auditing of the controls outlined in CMMC and provide a mechanism supporting executive level accountability and visibility. This in turn drives resources to solve any problems down to the level where the work is being done. Change can happen when you get that executive engagement—and that’s where the DOD is going with CMMC.
The time is now for cybersecurity and IT to take a transformational step. Executives should lean into that opportunity knowing that IT and compliance with cybersecurity standards is a measurable function that supports your organization.