Are you an ostrich? For CMMC, you'd best be a roadrunner

Listen to article
14 minute read

In the last issue, we discussed the fuss around the Cybersecurity Maturity Model Certification (CMMC).[1] Although the final regulations have recently been published establishing the CMMC validation program as a formal “program” for the U.S. Department of Defense (DoD), the long of it—it’s been discussed since 2017—and the short of it—the effective date of the final rules is expected in Q1 2025—is now reality.[2] Many people had taken the position they would believe it when they see it. Well, here it is.

CMMC is designed to validate that the controls of NIST SP 800-171 Rev. 2 have been implemented.[3] An independent assessment demonstrates that the controls are implemented correctly, operating as intended, and that the required outcome can be evidenced. This validation is necessary for contracting with the DoD but also helps companies protect their intellectual property for any business operations. All supply chains are under attack from cybercriminals, and the safer your information and data are, the better off you will be.

Many companies in the defense industrial base preferred that security achievements— particularly ISO 27001 certification and/or SOC 2 attestation—be used in place of CMMC validation. These activities are considered significantly different by the DoD and, thus, are not acceptable. However, the good news is if you have achieved either or both, your environment is significantly advanced relative to a company with no security framework compared to the controls of NIST SP 800-171. At the end of the day, any security frameworks, whether from NIST or another entity, cover people, processes, and systems—not just technology. It is key that the people involved are trained, knowledgeable of the processes and procedures, and able to demonstrate compliance to an auditor or an assessment team. As is true for any framework a company must comply with, it is always about the people.

This document is only available to members. Please log in or become a member.