Cybersecurity Maturity Model Certification (CMMC): Just the Facts
by Cindy Gaddis

The cybersecurity crackdown is coming!  A few years ago, whilst working for a small business, we had the arduous task of ensuring the organization was and could demonstrate cybersecurity compliance (110 controls from NIST).  In the end, the president of the company drafted a memo and declared we were good to go.  It was immediately clear, this was not going to solve the cybersecurity threat.   

The DoD came to the same realization and is working to do more to evaluate and reinforce the security of contractors with a specific focus on small business.  Small business is the low-hanging fruit or easy target for bad actors.  While the DoD has been working to resolve this issue for years, it seems as if they are making good progress with the Cybersecurity Maturity Model Certification (CMMC).  What does this mean for small business?  Initally, additional barriers to GovCon.

In August, the Department of Defense (DoD) released version 0.4 of the CMMC, which is considered a mid-point draft, and is available online; however, here are the facts:

  • Applicable to contractors handling controlled unclassified information
  • Developed by DOD in coordination with Johns Hopkins University Applied Physics Laboratory, among several others
  • Includes five levels ranging from basic cybersecurity controls at Level 1 (LI) to highly advanced practices at Level 5 (L5)
  • Combines various cybersecurity standards and best practices, to include National Institute for Standards and Technology (NIST) special publication 800-171, which defense contractors are required to follow today under current defense acquisition rules
  • Certification required to receive contract awards
  • Third-party companies will be cleared to conduct audit certifications on behalf of DOD
  • Intended to improve upon the current rules, which merely require contractors to self attest how they comply with the 110 controls listed in NIST SP 800-171
  • DOD plans to release the final draft, "Version 1.0," of the CMMC in January 2020
  • Expect certification requirements to appear in RFIs next June and in RFPs by fall 2020
  • DOD will release another draft for comment, "Version 0.6," in November 2019

The Office of the Undersecretary of Defense and the Department of Defense also issued a request for information (RFI) earlier this month to establish an accreditation for the Cybersecurity Maturity Model Certification (CMMC).


How Climbing Mount Fuji is like Doing Business with the Government 
by Cindy Gaddis

My best friend, Robin, currently stationed in Japan with her husband, invited me to climb Mount Fuji.  Nine months,  countless training hours, and a 75lb loss later, we made the 10-hour trek up the mountain and the 6-hour slide back down.  Along the way, I thought of how doing business with the government is very much like climbing the beast that is Fuji and what you really need to accomplish both; experience, tools, and perseverance.

First, have a someone with experience on your side. Robin had already climbed Fuji and knew what to expect, the equipment we would need, what to and what not to do, along with the required funding.  When doing business with the government, have successful people with a proven track record on your side.  People who have been where you want to go. Merely learning things from those who have learned from others can never replace “real-world” experience.

Second, have the right tools.  The right tools made the difference between accomplishing the goal in the time allotted and our very survival.  We set out to make it to the top of Fuji in time to witness the sunrise without falling off the mountain or freezing to death.  We certainly could not have accomplished these goals without the right map, climbing, and weather gear!  Likewise, the right business tools and resources can mean the difference between success and failure.  When a company has, and uses the right tools, the probability of winning government contracts exponentially increases.  From the year-round marketing calendar, capabilities statement, customer relationship management (CRM) system, and back office support, to the capabilities briefings with decision-makers, these tools allow companies to provide, retain, gather, and communicate vital information, and accomplish more with less.

Finally, go slow to go fast.  Take the time to plan first; it will save you unnecessary pain, time and money.  There’s absolutely nothing fast about climbing Fuji.  Climbing up steep inclines, over huge volcanic boulders, then slowly slipping and sliding our way back down via pebble-size volcanic gravel was a slow, tedious, and painful experience.  Going fast, or bullet-climbing, on the incline could have resulted in mountain sickness or, worse, falling off the mountain, whereas going slow and steady, in a prepared manner, virtually guaranteed our successful ascent, summit arrival, and descent.  Slow and steady perseverance is the key; follow the plan, go slow to go fast, but never stop. Government contracting can also be a slow, and often times, tediously painful process.  Get it right the first time.  Rather than rushing to bid on a solicitation simply because the organization can do the work, take the time to get to know and market to the customer before the solicitation hits the streets.  Know the decision makers, their mission, and the driving force behind their acquisition, then develop a deliberate marketing plan to market to them year-round so they know exactly what your company brings to the table and the benefits of working with together.

CG Consults provides GovCon expertise in support of organizations who seek to pursue and win business with the federal government.  Contact us today!

Follow CG Consults on LinkedIn for GovCon specific tips, tools, and techniques!