A Methodical Approach Works Best for Implementing CMMC

Companies should not be intimidated by the multitiered Cybersecurity Maturity Model Certification (CMMC), says a panel of experts. The new system is geared for companies to approach it methodically as they learn more about its implementation and requirements.

In a remote session hosted by AFCEA’s Virtual CMMC Symposium, the panelists encouraged companies to proceed through its steps and seek advice from others, particularly prime contractors. Janey Nodeen, president, Burke Consortium Inc., said, “There is a path to success. It’s not as hard as you think, and at the end of the day it’s very, very valuable to your company.

“It is very much a crawl-walk-run approach, and don’t overthink it,” she added.

Seeking assistance from others is a point emphasized by more than one panelist. “Folks at DOD [the Defense Department] should do outreach with entities like CISA [Cybersecurity and Infrastructure Security Agency] and DHS [Homeland Security Department], so that folks who aren’t doing business with DOD but know this is coming will have some harkening as to what the landscape is going to look like,” suggested Chris Cummiskey, senior fellow, Hume Center for National Security and Technology. “While the aims and objectives are absolutely on target in terms of the standards, you’re going to run into things that some folks may not have thought of, particularly on the industry side [such as] partitioning,” he added.

Nodeen echoed his remarks. “Having the benefit of some advice from someone you can trust, maybe from your prime giving you a referral as a sub, would be extraordinarily helpful,” she said.

Many aspects may seem familiar to companies, suggested Kelley Artz, Supply Chain Risk Management, General Services Administration. “Industry itself is requiring of each other more ongoing awareness and monitoring. What CMMC is moving toward at the highest level is not so dissimilar of what industry itself is asking of each other,” she offered.