The Cybersecurity Maturity Model Certification (CMMC) framework seeks to help assess defense contractors’ compliance with cybersecurity requirements to protect contract data and controlled unclassified information (CUI) from continued adversarial threats and other cyberattacks. CMMC compliance has been a hot topic amongst stakeholders in the defense industrial base (DIB).
Be wary of the CMMC certification experts and gurus online and in your inboxes. They may be able to do gap assessments and prepare you, but no one fully knows hard requirements just yet. The DoD plans to begin including CMMC in contracts late next year. So, given the recent forward movement in the CMMC process, Matt Hodson who is the Chief Technology Officer (CTO) at Valeo Networks joins the Security Clearance Careers podcast to discuss what might be next – if we can even guess.
Valeo Networks adopts a more guarded stance on CMMC. They describe their outlook as “cautiously optimistic,” expressing the sentiment that potential problems are almost a given – simply because it’s a government endeavor – and are looking for some semblance of certainty in an ever-changing compliance landscape.
Hodson gives us the rundown on what CMMC is for those who may not work in the cybersecurity or compliance field, and discusses the hurdles contractor’s will likely face when it comes to different levels. While new contracts will have the level noted in the solicitation, previous awarded contracts will be unknown.
Could the different leveled requirements also stifle economic growth for certain companies in going after work?
Implementation of CMMC has been delayed numerous times as the DoD continues to change the details and requirements of the program. Hodson shares the obvious potential benefits of the program: more secure data. However, this is only “potential” if the program is deployed properly.
A few weeks back, the DoD Inspector General (IG) announced it plans to conduct an audit into the program, hoping to determine whether CMMC sufficiently meets the department’s cybersecurity needs and accreditation regulations.
The audit will find something, but it all depends on how the government frames what information they collect. CMMC requirements are still in the rulemaking process and this summer, a new proposed rule to deploy CMMC 2.0 was sent to the Office of Management and Budget (OMB) for evaluation.
