Recapping the Key Take-Aways from Gigit’s Panel Discussion, “CMMC and the Race to Remain Competitive with DoD Contracts”
On March 17th, Gigit hosted a live panel discussion with some of the country’s foremost experts on CMMC including Regan Edens, the Chairman of the Standards Management Committee and Vice-Chairman of the Training Committee for the CMMC Accreditation Body; Richard Wakeman, Microsoft’s Senior Director of Aerospace & Defense for Azure Global Engineering, the commercial industry lead for Azure Government, and the Program Manager for the Microsoft CMMC Acceleration Program; as well as Gigit’s own CEO, Matt Titcombe, a team member on the CMMC Industry Standards Working Group that drafted the initial and supported subsequent reviews of the DoD published CMMC Assessment Guides and CMMC Provisional Assessor #17.
In addition to deep discussion on the questions posed by the panel moderator, the audience Q&A portion of the event generated more questions than there was time to answer. Clearly, this is a hot topic so we wanted to recap the key take-aways for your benefit. If you want to watch the full recording of the panel discussion, it is available here.
- CMMC came about because self-attestation by DoD contractors failed
- There now are 181 total requirements under CMMC, which is up from the 110 under just NIST SP 800-171
- All organizations dealing with the DoD, and particularly Level 3 organizations, will now have to be CMMC compliant and certified by a third-party organization (C3PAO)
- Most organizations will either be Level 1 (Federal Contract Information only) or Level 3 (FCI + CUI)
- DFARS clause is not understood
- CUI is also not well understood (nor is that all unmarked CUI is still CUI). Know where your CUI is and ID it. CUI stakeholders are heavy lifters, including Quality personnel, too.
- There’s a genuine lack of understanding of all these information security requirements and the sub-set of Assessment Objectives, but the accuracy of the interpretation and assessment are crucial.
- There’s a price to pay (figuratively and literally) for beginning the CMMC process and getting it wrong at the time of Assessment. The Assessor can only tell the business that and where in the certification process they didn’t pass but not what they did wrong (because that would enter the realm of Consulting, which the Assessor is not allowed to do if brought in as an Assessor)
- Leadership buy-in and evangelism is critical for CMMC early adoption
- Federal contractors should be willing to buy-into those smaller business sub-contractors that have really made the effort early on to get on the CMMC bandwagon
- There’s a growing focus on the supply chain. The DoD continues to look at its own supply chain which in turn is forcing those in the supply chain to better scrutinize their own supply chain. Consider third-party risk management (TPRM) and supply chain risk management (SCRM).
- Mature your security into a zero-trust architecture.
- “Layer-up on security; don’t just rely on one solution,” Richard Wakeman, Microsoft
- Select the right cloud service offering. Straddling is too complex.
- In the very near future, there are going to be very few truly qualified people in the country able to help businesses navigate their CMMC journey accurately, soundly, and reliably.
Obviously CMMC is going to make a big difference at the DoD contractor level. If your company is just getting started on its CMMC journey and needs expert counsel, contact Matt Titcombe today!