The Cybersecurity Maturity Model Certification or CMMC is seemingly overwhelming. A new cybersecurity framework, five different levels of maturity, 17 capability domains, 43 capabilities/, 171 practices, 3rd party assessors, defense contracting requirements, and costs.

What the hell?

Let’s start with the why.

Cybersecurity incidents and costs are going up. The Department of Defense has apparent reasons it needs various suppliers better to protect classified, controlled, and contract information. The “self-verify” and “we trust you” system to protect information from cyber threats isn’t working. The problem concerning knowledge capital and downtime to the defense industrial base is now more expensive than the costs involved with addressing the risks.

Insurance companies are already trending this way. To get cybersecurity insurance, an organization must prove they have the proper controls in place.
Organizations trying to comply with CMMC or other regulatory frameworks will need to implement managed security. What is managed security?

Managed Security Understands:

    • Regulatory compliance
    • Industry-specific threats
    • Impact
    • Implements
    • Auditing
    • Alignment
      Controls

Success is:

    • Risk-based
    • Identifying/Closing /Maintaining security gaps
    • Ability to recover
    • Compliance reporting

Many organizations aren’t acting because they have defined the problem as too complex, too technical, or too expensive.
If your organization is serving the Department of Defense directly or indirectly through contracts, you are part of the Defense Industrial Base. If these contracts are strategically important, then the strategic decision should be to take the following next steps:

    • Understand your cybersecurity gaps
    • Create reasonable plans to address them over time
    • Shift to a “proof” based mindset and outcomes
    • Work to establish strategic partners who can help your organization do this reliably and affordably.

Start with a gap assessment (informal or formal) to help you understand the gaps. Next, discuss solutions, costs and begin to implement the required controls. It may not be a way to become CMMC compliant right away, but to better secure, protect, and, when necessary, recover the organization’s assets.

You’ll also gain confidence as a decision-maker about where you are, where you need to go, and the overall reality of the costs. (which may not be as bad or onerous as you think)
If you are struggling to find a CMMC consultant, know that this is pretty new, and there aren’t lots, and the ones out there are charging a premium because that’s what the big boys and girls are paying. Don’t let that stop you – many IT providers with cybersecurity practices are well versed in government regulations as they have been managing banks, medical practices, and other financial institutions for years. CMMC is not new standards and best practices but rather a model created by combining standards and best practices from other existing frameworks.

In Montana, MMEC – Montana Manufacturing Extension Center – Montana Manufacturing Extension Center | Montana State University can direct you to qualified resources. Talk with your industry association, even your insurance company. There are more resources out there than you think to help you strategically and tactically through this.

New call-to-action

Let's Work Together!

Schedule a discovery meeting with one of our Business Development Executives to discuss how First Call can help you implement Microsoft within your Business!