Some Preliminary Steps Can Pave Way for CMMC Success
Media coverage and dialogue around cybersecurity are so commonplace that some people are becoming numb to how serious and pervasive the impact and damage can be. The cost of malevolent cyber activity is projected to hit $6 trillion annually by 2021. The average cost to businesses that experience a data breach is estimated at $3.86 million. Can any organization afford that?
The COVID-19 pandemic created massive transitions to remote work environments, presenting both increased flexibility and risk exposure, as demonstrated by the SolarWinds breach and hundreds of other hacks last year to federal agencies, private corporations and individuals.
Cybersecurity Maturity Model Certification (CMMC) is a crucial — and mandated — step for businesses working for the Defense Department. If an organization handles defense information or controlled unclassified information (CUI) — from data to maps, plans, models or manifests — CMMC relates to the business.
Certification could also mean the difference between company survival and closing shop as it becomes a key contract requirement.
Determining where to start can leave even the most adept organizations in a holding pattern. CMMC is structured like a nesting doll with 17 domains containing 171 practices, divided by 43 capabilities, categorized into five process maturity levels, which all culminate in one of five certification levels.
Here are five steps that will help launch a team’s momentum in a strategic direction.
Step 1: Gather your internal team.
Teams are the foundation of success, so know who is in your wheelhouse. For CMMC, this may include traditional cybersecurity-focused leaders as well as communications professionals, human resource directors or project managers. The project team’s structure is malleable, and leaders know their organization’s aptitude best. Start dialogue now, align expertise, delineate a leader, and host structured, regular meetings.
Doing so will empower a team to take ownership of the long-term process.
Step 2: Learn and keep learning.
When certifications are established, there is an information deluge spanning logistical necessities to infinitesimal “what ifs.” The con: information overload. The pro: information overload. Rely on your established internal project team to strategically read, review, interview and attend webinars so you collectively grasp the certification framework. Then, continue doing so as the framework will evolve.
Defense contractors need to understand the interim rule, NIST 800-171, which became effective Nov. 30, while also learning CMMC, which is rolling out in phases through September 2025. Each has already changed and is likely to continue doing so. Ensuring a team stays vigilant of new information strengthens its position.
An important and sticky detail is this: any organization submitting bids for defense contracts needs to already have submitted their 800-171 assessment and should be actively closing their “Plan of Action and Milestones” — explaining why most organizations need some form of external expert support.
Step 3: Find your holes.
Have you had a tire with a potential leak? The only way to fix it is to dedicate time to find the hole and determine the proper fill. It is mission-critical to discern a team’s capabilities, the certification’s requirements, and how the organization’s abilities match, and catalog gaps. These could be in a team’s knowledge base or in the deliverables it provides.
With CMMC, it means the difference between small businesses earning a Maturity Level 3 or 5, which translates to viably competing for contracts and overall business survival. Sometimes the greatest knowledge is knowing what you don’t know. Just like the tire, the gaps can be filled, but you need to know where they are.
Step 4: Collaborate with external experts.
There is value in seeking external support. This fresh brainpower and knowledge can amplify your internal team. The key is choosing the right-fit advisor. Consider the following: Does the organization have a track record for advisory services, and are they continually tracking this certification? For CMMC, cybersecurity advisory services actively monitoring the framework’s evolution make the strongest partners.
Does the organization offer fixed-pricing structures? CMMC advisors often conduct initial assessments at small fees, then, similar to other certificates, cost estimates vary depending on the extent of collaboration.
Is there more than one estimate? Take time to review options. It saves money and confirms you made the right decision.
Step 5: Prioritize your approach.
Success takes time, perseverance and work on competing tasks. Focusing to achieve excellence in specific areas is more efficient than spreading a team thin to attain broad lower-level compliance. If aiming for CMMC Level 5, consider concentrating on individual domains that need improvement and expand the breadth as each maximum maturity level is reached. This culture of excellence will institutionalize and permeate the broader organization, whether it is normalizing cybersecurity or another best practice.
No matter what certificate a company aims to earn, the key is to start now. Information is available and resources will be there as contractors craft their approaches. They may even find they are further along than anticipated.
Rick Hill is senior vice president of HumanTouch LLC, a PMP, computer engineer and government contracting expert.