To bid on upcoming contracts, companies with customers like Boeing, General Dynamics, Northrop Grumman and many others will need to secure a Cybersecurity Maturity Model Certification (CMMC).
Doing so can be exceptionally complicated. I've been working towards getting prepared to submit an organization for an audit for well over a year now, and I've learned a lot along the way.
- Partners, like Cloud Service Providers and other Managed Service Providers, may have to be involved in your audit. They don't necessarily have to achieve CMMC themselves, but as an extension of your company's Information Technology / Information Services function, they may be in scope for the audit. That may add orders of magnitude more complexity, and, depending on your situation, may move requirements to achieving CMMC into another party's set of responsibilities.
- Having an updated System Security Plan (SSP) is not only necessary, but also invaluable to your IT team and your company. But is it extremely sensitive and must be safeguarded. Think hard about how you want to draft it, where you want to keep it, and to whom you want to share it.
- Having a dedicated platform to manage Controlled Unclassified Information (CUI) can drastically narrow the scope of your CMMC audit. I've been fortunate to find some excellent cloud service providers who are reasonably priced, and they can take whole chunks of what is needed to achieve CMMC off your plate.
- Join even some vendors webinars and you will learn a lot. You don't have to restrict your source only to the Cyber AB, for example (although they are excellent). Some solutions vendors will invite representatives from a C3PAO (CMMC Third Party Assessor Organization), and having the perspective of the auditors themselves when discussing challenges and potential solutions is phenomenally helpful. Take lots of notes!
With the upcoming publication of the final CMMC ruleset happening in December of 2024, there isn't much time left to prepare. But for knowledgeable organizations, with the right partners helping, there may still be enough time to earn and keep our critical customers assured that companies are working alongside them to protect and enhance the security of the US Defense Industrial Base.
Major Account Executive at Spectrum Enterprise | Partnering with C-Suite and IT leaders to help address and support key business & technology initiati
4 个月Doug Poirier - I want to acknowledge and thank you for posting this timely and detailed recommendations on #CMMC. Defense Industrial Base (DIB) manufacturing companies have always been the primary target for state-sponsored bad actors and the treats are amplified now like never before by rapidly escalating geo-political tensions. That said, feel free to reach out for any assistance you and your team may need. #Spectrum has an extensive and successful track record of protecting Government entities and DIB vendors that serve them. It would be a privilege to help #HardwareSpecialty assess, plan, and implement effective strategies to adhere to CMMC guidelines and reduce cyber security risks. DM me or call directly at 646-531-2504. Talk soon!