Why Does CMMC Matter?

In a landmark development for cybersecurity, the U.S. Department of Defense (DoD) has simplified the compliance process for defense contractors with the release of the final Cybersecurity Maturity Model Certification (CMMC) program . This revision reduces the original five compliance levels to just three, making it easier for companies in the defense industrial base to meet cybersecurity standards and qualify for lucrative contracts. This change could significantly impact the cybersecurity industry, opening up new opportunities for compliance and growth while still emphasizing robust security measures.

Why CMMC Matters

The CMMC is a critical framework that requires defense contractors to demonstrate secure networks and practices capable of defending sensitive information against adversarial threats. Simplifying the model makes compliance more accessible but still ensures the government’s vital information is protected. This change is particularly significant in today’s landscape, where nation-state actors are targeting defense contractors to access intellectual property related to weapon systems and other defense technologies.

What's Changing in CMMC?

The biggest update to CMMC is the removal of two transitional compliance levels, reducing the total from five to three. This shift aims to streamline the certification process, making it faster for contractors to meet requirements. Yet, one key aspect remains unchanged: the final level of compliance requires rigorous government verification, not just self-assessment.

As my co-host, Shannon Tynes, aptly put it on our recent podcast episode, “I like that they simplified the process, but I still am a little wary about the fact that companies can self-assess at the initial levels. Self-assessments can create gaps in compliance, especially when the verification isn’t immediate.”

Potential Implications and Concerns

The simplification is a double-edged sword. On one hand, it creates more opportunities for smaller firms to enter the defense contracting space, boosting economic growth and innovation. On the other hand, it raises concerns about the potential backlog of companies seeking certification. As Shannon noted, “The defense industrial base's assessment center may not have the bandwidth to handle the influx, potentially compromising the thoroughness of evaluations.”

Resources for Aspiring Contractors

If you’re navigating the CMMC landscape, there are a few key players worth knowing:

• Courtney H. Jackson, MSISA, CISSP, CISM, CEH, CHFI , Founder and CEO of Paragon Cyber Solutions (8a, EDWOSB, SDVOSB, CMMC-C3PAO) | 2023 Small Business of the Year , a veteran-led C3PAO (CMMC Third Party Assessment Organization), based in Tampa, FL.
• Jacob Hill , Founder of GRC Academy , offering comprehensive CMMC training.
• Derrich Phillips, CMMC Certified Assessor , President and Founder of Aspire Cyber has developed “CMMC Proof” a Compliance Acceleration System to help meet compliance standards.
• Derron King Jr , Co-founder of Priority Defense offers a range of services to help our clients assess their current security posture, identify gaps, and implement solutions to meet the required CMMC level.
• Chris Abacon , CMMC Certified Professional (CCP) and Security Consultant at CompliancePoint can provide advice as a subject matter expert and consultant.

These experts are valuable resources as you prepare to meet CMMC requirements and protect Controlled Unclassified Information (CUI).

The Road Ahead

Though this final rule has been released for public inspection, it’s not yet law—Congress has 60 days to review and approve it, with an expected rollout in early 2025. While this may offer contractors a window to prepare, time is of the essence. As Ryan Williams Sr. emphasized, “People thought they had more time, but the final rule is here, and companies need to get ready now.”

For those aiming to get certified, it’s vital to understand the nuances of CMMC and find reliable guidance. The new CMMC may be complex, but it's an essential step in securing the nation’s defense infrastructure and enabling more businesses to contribute to the sector.

Thank you for reading and stay tuned for more episodes of The Other Side of the Firewall podcast on Monday, Tuesday, Wednesday, and Fridays, as well as, the Ask A CISSP podcast every Thursday. Make sure to also add The Cybe Coffee Hour to your podcast rotation! Please like, share, and, subscribe.

Stay safe, stay secure!

Ryan is a retired Air Force veteran who brings over 20 years of experience in network infrastructure, project management, and cybersecurity consulting to his current roles at RAM Cyber Consulting & Assessments, LLC and BuddoBot . Buddobot’s mission is to support national security by transforming, empowering, and educating organizations to shift from reactive, diluted, automated, and high-cost IT and security practices to proactive, effective solutions that fortify their security.

Shannon, also a retired Air Force veteran, has more than two decades of expertise in network security and vulnerability management. He now serves as an Information System Security Officer (ISSO) for the U.S. Space Force, where he continues to enhance national security protocols.

Chris, a Navy veteran with over ten years in IT, information assurance, and risk management, currently works at CompliancePoint . His roles include vCISO, RMF assessor, and consultant, focusing on enhancing data security and privacy for various organizations.

Daniel is an Air Force veteran with over 15 years of combined experience in IT, cybersecurity, information assurance, and government risk compliance. He has held various roles, including IT administrator, cybersecurity engineer, senior information system security manager, and currently serves as a senior security consultant for Booz Allen Hamilton. In this latest role, Daniel leverages his expertise to address unique and complex challenges in the cyber and IT domains, enhancing his customers’ capabilities.

**The Other Side of the Firewall podcast is a product of RAM Cyber Consulting & Assessments, LLC . RAM Cyber is a premier Governance, Risk, and Compliance (GRC) consultancy dedicated to supporting the Defense Industrial Base (DIB), Federal agencies, and corporate entities. We specialize in delivering expert guidance to ensure compliance, mitigate risks, and enhance cybersecurity postures. RAM Cyber is pending SDVOSB, VOSB, and 8(a) certification by the SBA, underscoring our commitment to excellence and service.