Cybersecurity incidents and costs are going up. The Department of Defense has apparent reasons it needs various suppliers better to protect classified, controlled, and contract information. The “self-verify” and “we trust you” system to protect information from cyber threats isn’t working. The problem concerning knowledge capital and downtime to the defense industrial base is now more expensive than the costs involved with addressing the risks.

Insurance companies are already trending this way. To get cybersecurity insurance, an organization must prove they have the proper controls in place.
Organizations trying to comply with CMMC or other regulatory frameworks will need to implement managed security. What is managed security?

Success is:

• • Risk-based
  • Identifying/Closing /Maintaining security gaps
  • Ability to recover
  • Compliance reporting

Many organizations aren’t acting because they have defined the problem as too complex, too technical, or too expensive.
If your organization is serving the Department of Defense directly or indirectly through contracts, you are part of the Defense Industrial Base. If these contracts are strategically important, then the strategic decision should be to take the following next steps:

• • Understand your cybersecurity gaps
  • Create reasonable plans to address them over time
  • Shift to a “proof” based mindset and outcomes
  • Work to establish strategic partners who can help your organization do this reliably and affordably.

Start with a gap assessment (informal or formal) to help you understand the gaps. Next, discuss solutions, costs and begin to implement the required controls. It may not be a way to become CMMC compliant right away, but to better secure, protect, and, when necessary, recover the organization’s assets.

You’ll also gain confidence as a decision-maker about where you are, where you need to go, and the overall reality of the costs. (which may not be as bad or onerous as you think)
If you are struggling to find a CMMC consultant, know that this is pretty new, and there aren’t lots, and the ones out there are charging a premium because that’s what the big boys and girls are paying. Don’t let that stop you – many IT providers with cybersecurity practices are well versed in government regulations as they have been managing banks, medical practices, and other financial institutions for years. CMMC is not new standards and best practices but rather a model created by combining standards and best practices from other existing frameworks.