In today’s increasingly dangerous threat landscape, government contractors face continuous cyberattacks from hostile nation states. To protect sensitive data, the Department of Defense (DOD) has prioritized cybersecurity by rolling out the Cybersecurity Maturity Model Certification (CMMC) 2.0. This new standard is crucial for any contractor wanting to continue doing business with the DOD.
Balancing Cybersecurity Funding with Business Needs
Kelly Mullins, Vice President of Global Operations at Edge Case Research, shared valuable insights for defense industrial base (DIB) companies preparing for CMMC 2.0. With over 25 years of experience, Kelly knows how vital it is to balance business needs with compliance requirements. “Helping leadership understand the importance of cybersecurity is key,” says Kelly. “We need to show that meeting CMMC is essential for securing future contracts, and we need a budget that supports that.”
However, she acknowledges that securing full funding can be difficult. “When the budget isn’t what you hoped for, you need to get creative. Break the project into manageable pieces and prioritize. What can you achieve with the budget you have? How do you make the biggest impact in compliance and infrastructure security with limited resources?”
For Kelly, the key is balancing compliance with enabling her team at Edge Case to operate effectively while staying secure.
CMMC Compliance: Thinking Outside the Box
CMMC offers room for interpretation, and contractors can often meet certain requirements without significant new spending. Kelly emphasizes the importance of thinking outside the box. “Working with the CyberSheath team has helped us look at our approach differently. Sometimes you can meet a requirement through policy changes or by tweaking existing systems, rather than investing in new software or infrastructure,” she explains. This can help save costs while ensuring compliance.
Vetting Your Supply Chain to Manage Risk
For DIB companies, managing supply chain risk is critical, especially since primes now often require evidence of CMMC compliance from their subcontractors. Post-COVID, vulnerabilities in the supply chain have become more evident, making it vital to vet suppliers thoroughly.
Kelly highlights the importance of the RFP process in vetting suppliers. “We use the RFP process to set expectations with potential suppliers. Whether it’s an upgrade to an existing service or a new one, the RFP defines our requirements, the nature of the relationship, and expectations around compliance. It’s a great way to align with supply chain risk management, especially in terms of CMMC.”
Setting clear requirements during the RFP process ensures that both parties understand compliance expectations from the outset, minimizing surprises down the road.
Collaboration Between IT and Security
Kelly stresses the importance of collaboration between IT and security teams to ensure CMMC compliance. “People don’t realize how much of the CMMC requirements fall on IT,” she says. A key part of achieving compliance is having a strong, trustworthy team with the technical skills to handle both IT and security requirements.
To expand her team’s capabilities, Kelly partners with CyberSheath for monitoring, security, and system hardening. “We’ve separated IT from security. CyberSheath handles much of our security needs, while IT focuses on day-to-day operations. We have each other’s backs, and that collaboration ensures we meet our compliance goals.”
Why Outside Partnerships Make Sense
For many smaller contractors, building an in-house team to handle compliance and cybersecurity can be cost-prohibitive. Kelly explains that outsourcing to a trusted partner like CyberSheath was essential for Edge Case. “When I started, our IT team was small. The cost of building a team capable of handling everything CyberSheath does would have been out of our budget.”
Choosing the right partner is critical. “You need to trust that your partner has the technical expertise, understands your business, and will work with you closely,” says Kelly. “Compliance isn’t a one-time thing—it’s an ongoing process that requires constant reassessment and adjustments.”
She also emphasizes the importance of availability and responsiveness. “I need a partner who’s accessible and responsive to my team’s needs. That plays a huge role in my decision-making, both in terms of cost and day-to-day operations. Due diligence is essential when vetting potential partners, whether it’s for hardware, software, or services.”
Selecting a Partner to Achieve CMMC Compliance
Trust is one of the most critical factors in selecting a service provider. “Can I work with this team? Do I trust them? Do they have the expertise we need to meet our goals on time?” Kelly asks. Building a strong relationship with your partner is key to ensuring compliance is maintained over time.
If your organization is preparing for CMMC 2.0 and you need expert guidance, CyberSheath is here to help. With deep expertise in DOD cybersecurity requirements, we can partner with your business to ensure you meet the new standards and remain eligible for DOD contracts. Contact us today to learn more.