“Explaining CMMC to my colleagues is harder than explaining Bitcoin to my grandmother.”
That’s the comment that caught the attention of Matthew Travis, CEO, CMMC Accreditation Body, and gave him the pull to discuss CMMC opportunities and challenges at day three of the NCMS Seminar, an annual training event for security professionals. The Cybersecurity Maturity Model Certification (CMMC) was designed to provide increased IT assurance across the DoD. The CMMC puts teeth into requirements to protect controlled unclassified information (CUI) and keep the cyber domain safe across government industry. Defense contractors need to understand what’s involved with CMMC today, because by 2026, all CMMC requirements will be in contracts – for the whole supply chain.
The CMMC-AB is an independent third party, and they are the sole CMMC authorization partner. They are still working on their professional staff and getting accreditation, so to-date, they have been working on a no-cost contract with the DoD and a volunteer board. It’s important to note that the CMMC-AB are not the policy makers. That job belongs to the DoD. However, the CMMC-AB plays a key role in clarifying the standard and working on training. Much of the work includes licensing companies who do assessments and trainings and issuing certificates.
WHY IS CMMC NEEDED?
With 300,000+ in the Defense Industrial Base and cyber attacks growing, it’s clear that the supply chain is vulnerable. Doing nothing to improve cybersecurity really isn’t an option. It’s not enough to just say you do cybersecurity, so the CMMC gives a trusted base. Because of the collective risk nature of cybersecurity threats, players across the defense industry need to make things as difficult as possible for the enemy, Travis emphasized.
HOW CAN WE BE MOST EFFECTIVE?
Travis walked through the 17 CMMC domains as well as the key roles in the CMMC ecosystem. While it can be a lot to work through, there are a lot of resources available to learn where you have gaps and incrementally improve over time. Nothing has to be implemented overnight – that wouldn’t be possible. Since adversaries go after the weakest link, it’s especially important to focus on CUI to make sure it’s protected.
Companies do not need to build supercomputers to combat cyber threats, Travis’ remarks emphasized. It’s important to understand the environment, document processes, and demonstrate actions taken – CMMC documentation can be the most critical element for many companies. It’s hard to get started, but this process should be approached systematically to build a security management plan.
CMMC is a part of the DoD’s larger effort to avoid checklist security. While documentation is key, simply checking items off the NIST list isn’t enough. Travis emphasized two other keys to CMMC compliance and implementation:
- Employee training
- Recovery planning
If your company is attacked, do you know what to do? Is there a plan in place? If you’re unsure how to reach companies that can support you and help recover your data, the time to figure those things out is before you are attacked, notes Travis. Maintenance is also a critical piece in the equation.
WHERE IS CMMC NOW?
In March, DoD took a deep dive into reviewing CMMC, and those changes are being implemented. The interim rule was posted last fall, and there are over 800 comments being reviewed before the final rule. GAO is also continuing to assess CMMC, but the ecosystem continues to grow each week. There will be tweaks in implementation with efforts to reduce financial burden, as the goal isn’t to have a certification process that is burdensome to contractors. The goal is to shore up cybersecurity, and wherever costs can be reduced, that is a goal, as well.
The most important thing is to not wait to start implementation, says Travis. Cybersecurity is never a bad investment, but implementation does take time. A deliberate and methodical approach saves costs and makes you a market standout. With CMMC not going anywhere, the time to start is not 2026 – it’s now. Both the DoD and CMMC AB are working out the different challenges and finding ways to support companies with this change.
No one is saying CMMC will thwart every attack, but it does impose a greater level of difficulty for threat actors and will increase security – as well as improve responses when attacks happen.