CMMC - Not an "IT" Certification

25 minute talk, not presented elsewhere previously.

With the introduction of DFARS 252.204-7012, defense contractors have been required since 2017 to be compliant with NIST SP 800-171 by implementing the 110 security controls in that framework. Due to ongoing failures by the defense industry to fully implement those controls, subsequent DFARS clauses have required increasing stringency in demonstrating compliance.

The Cybersecurity Maturity Model Certification (CMMC) is the latest requirement in the ongoing escalation for the defense industry. CMMC is a third-party certification for defense contractors that validates implementation of the 110 controls from NIST SP 800-171/800-171A. The certification requirement via third-party assessment became our reality in October 2024 with the passing of the Final Rule for 32CFR 2002. Obtaining a CMMC validated SPRS score is requirement for any defense contractor to remain eligible to bid on, or hold, DoD contracts as
the rule is phased in over the next few years.

Historically, 79% of contractors self-assessed and reported a perfect 110 score. When DIBCAC performed a High confidence assessment on those same entities, only 15-20% of those
companies had that 110 score validated. For a certification that is required to operate as a defense contractor, this indicates a significant gap in the process.

CMMC is almost universally viewed as an IT/Cyber/Information System responsibility, handed to the CIO or CISO to “make it happen”, and often, no one outside the Office of the CIO receives
support or engagement until demands for artifacts start flowing out to other departments.

However, among the top reasons companies fail a CMMC assessment, the following appear in nearly every list:
 Lack of leadership buy-in.
 Failure to understand the controls.
 Lack of detailed documentation.
 Failing to identify where CUI lives in the environment.
A relevant, effective, robust implementation of the controls involves the effort of nearly every functional department within a company in addition to IT and Cyber: HR, Security, Contracts,
Subcontracts, Facilities, Talent Acquisition, Marketing, application developers, supply chain/logistics teams, and front desk administrators all have important roles to play in achieving
a CMMC credential. Successfully integrating the efforts of these departments requires several key elements before the effort begins: communication, relationship, education, and buy-in.

This presentation provides actionable insight into how integrating these four elements to your Cyber team's cadence will improve your cybersecurity posture, support your CMMC achievement, and smooth the path for your defense company to set up for success.