As a contractor in the defense industrial base, your company needs to be ready to demonstrate compliance with CMMC. You should have the resources and ability to take action if you want to stay eligible for federal contracts.
CMMC timeline: Today, not tomorrow
During our CMMC CON last year, we had the chance to talk with Jeff Dalton, the newly appointed chairman of the CMMC Accreditation Body, about all things CMMC, including the urgency for acceptance of the new mandate. “We are out of time to protect our data and our networks,” he says. “We’re being infiltrated and attacked as we speak, probably far more than the average person realizes. Companies should be adopting some standard now—today. CMMC/NIST800-171 provides evolutionary paths to maturity, which are critically important as you can’t just say, ‘We’re cyber secure today’ and think your organization is all set in perpetuity.’
As you work to wrangle your cybersecurity initiatives, apply similar rigor, methodology, and project management that you would utilize if you were building something for your customer. Treat CMMC and cybersecurity the same way: create a project, craft and resource a plan, and measure your progress.
One standard, one model to move the country forward
Being closely tied to CMMC, Jeff of course believes in the strength of the standard, but he says it doesn’t matter to him which framework or model companies choose, as long as they apply some rubric to advance their security posture. “CMMC is a baseline,” he states. “I would be ecstatic if the various agencies, corporations, including the Fortune 100, and all their suppliers, would use it as their baseline to measure themselves against.”
Committing to adherence to a baseline provides the expectation that your organization is going to meet certain requirements and then work to further improve your processes. “That’s why I like CMMC because it’s having various levels,” Jeff continues. “You complete one level, and then there’s another level to reach for.”
Another reason for standardizing on CMMC is that it already has an ecosystem, which other models don’t possess. “We are in a situation now in our country where they have to adopt something, get started, and then be able to measure performance.”
There’s no turning back
If you examine any kind of serious aerospace, space travel, or automotive company, or any entity making millions of high-cost products, they all have processes, standards, and policies that they follow. With software, cyber and IT services, and most technology engineering disciplines, there is resistance to standardizing process and policies. That needs to change.
CMMC is here and it’s real. The training has started. “We have thousands of people in the ecosystem now. Many people have been through the training and program, and certified assessor training is about to start,” Jeff shares. “The AB is also offering new executive training, which is aimed at the executives and purchasing agents of organizations seeking certification.”
“CMMC has caused cybersecurity to become dinner table conversation and that’s a really positive thing because we’re never going to change until we all start thinking about it and doing something about it,” he concludes.
When your company is ready to take the next step on your path to more robust cybersecurity, contact the experts at CyberSheath. We’re here to help you meet your compliance and cybersecurity goals.