Aaron Hamlin, practice leader of cybersecurity consulting at BARR Advisory, spoke alongside Brian Naji, senior director of audit alliances at Drata, and Matt Bruggeman, director of GTM federal at A-LIGN, in a recent webinar on all things CMMC 2.0.
During their talk, the trio explained the significance of CMMC for organizations working with the Department of Defense (DoD) and broke down what business leaders can expect as they move through the CMMC assessment process.
“The reason CMMC exists is because the self-attestation model did not work,” Bruggeman said. “The DoD was actively trying their best to not force this onto people, but sensitive information kept getting out because these security controls were not in place.”
Now, with CMMC 2.0—the latest version of the framework—organizations that do business with the DoD must meet specified security requirements depending on the level of sensitive information that they have access to.
According to Naji, the majority of companies fall into Level 1, meaning they don’t handle controlled unclassified information (CUI) in any capacity. At this level, a self-assessment is sufficient.
“These are folks that do not have access to sensitive data,” Naji said.
Level 2 adds “scope and rigor,” Hamlin said. At this level, organizations are required to undergo a third-party assessment by a certified third-party assessor organization (C3PAO).
“The quickest way [to determine what level of compliance you need] is to go to the folks in your company that are responsible for managing your sales and running business development, because they’re getting in front of the contracts,” Hamlin said.
Whether you’re working with a prime contractor or the government itself, they should make their expectations of your organization clear from the start. “It should be a black-and-white conversation,” Hamlin said.
At all levels, CMMC is a “very in-depth and technically forward” framework, Naji said. “There’s a lot of interest and demand to get CMMC as soon as possible.”
Bruggeman said many organizations he works with are overconfident in their ability to meet the standard’s strict requirements.
“Get with the right partners, make sure you’re scoping and actually meeting those controls in the way that you need to,” Bruggeman said. “The need to focus on making sure that you’re actually looking at the right scope, that you’re actually meeting the controls, that you can actually prove that you’re meeting the controls cannot be overstated enough.”
For many organizations aiming to sell their services to the DoD, “CMMC oftentimes is their first foray [into security compliance], which is like jumping into the deep end,” Hamlin opined. But with the right partner to assist in the readiness process, achieving CMMC certification is an achievable goal.
“The ideal organization is ready to be honest with themselves,” Hamlin said. They should be prepared to “invest the energy and the focus, regardless of how ‘ready’ or not they are.”
According to Hamlin, this investment from organizational leaders in “embracing the challenge” and improving their security posture is a key indicator of success, “irrespective of the technical hurdles that we may have to face.”
For more information about how BARR, Drata, and A-LIGN can help your organization achieve CMMC certification and grow your business in the public sector, contact us or watch the full webinar now on-demand.