The Cybersecurity Maturity Model Certification or CMMC, is a big topic of concern for companies serving within the Defense Industrial Base (DIB). But whether you supply products, services, or people to the federal government or not, we are also seeing cyber vulnerabilities put commercial businesses at the top of news headlines. DHS recently issued guidance that pipeline backers are required to report potential and confirmed cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), mandating that pipelines designate a cybersecurity coordinator to report cyber-attacks. So we are now even seeing remnants of CMMC flood into the commercial sector.
While CMMC has already received criticism due to small businesses required to adhere to the same standards as large contractors, the reality is that cyber attacks will only continue, and any company doing work in the U.S. should be cautious if their cyber policies and procedures are not up to snuff. Our conversation with Vince Scott highlights what companies should and shouldn’t do as CMMC is fully implemented.
WHAT NOT TO DO in obtaining Cybersecurity Maturity Model Certification
The CMMC procurement process adds a burden to the small businesses in the DIB, but there are still a few things companies should not do as they conduct their internal audits prior to accreditation. Vince currently serves as the Founder and President of Defense Cybersecurity Group, focused on DoD cybersecurity, cyber compliance and assessments and he also serves as the Chief Security Officer for STI-TEC, a medium sized government contractor.
Self assessments in the DoD, which differ from CMMC entirely, have a specific short term applicability that’s different than the monster certification. Basic self assessment in the rules today stem from an interim rule from last year – if you process Controlled Unclassified Information (CUI) you must send in a basic assessment through the Defense Contract Management Agency (DCMA) scoring yourself. Vince warns that just because you don’t think you handle CUI, you won’t be held accountable if you don’t work through a basic self assessment. Even a flower shop outside an Air Force Base that did business on base had to supply their score. Just don’t make false claims to the government of what your score actually is.
Lastly, don’t invest in the get rich quick scheme companies that say they can fix your entire process in 30 days. Vince tells us that a full cyber assessment and implementation of best practices takes much longer than that.
WHAT COMPANIES SHOULD DO for CMMC
Vince had a diverse career in military operations, cyber and information warfare, and intelligence operations, and brings that fresh perspective of military plus the private sector to guide companies to a successful compliance. He notes that small and medium sized business still need to defend their networks – look for inventive ways to reduce your costs in implementation and still be compliant.
Vince’s number one advice is start early. Start now. It’s the hardest certification in the industry currently – but for good reason. Secondly, Vince says to get help because it takes a village to maintain compliance.
Companies should also be assessing what they are doing in cyber today, where their gaps are, and embark on this journey slowly over months to a year. He has found that that tends to be less expensive than if you have to implement over a short amount of time. Basic self-assessments, scoring yourself, are a great place to start and every company should be doing this. If you think your score is bad – you’re not alone.