Reviewing Some Differing Opinions on CMMC

In a recent interview with ExecutiveBiz, Brian O’Donnell, the vice president of Cybersecurity Solutions at Carahsoft, answered questions about the Cybersecurity Maturity Model Certification, or CMMC.

What to Expect in the Coming Months?

When asked about what to expect from the CMMC in the coming months, O’Donnell had a lot to say. He started by stating that they have begun to receive more specifics from the federal government. He also mentioned that before the program, there was a way to validate the cyber maturity of the companies from whom they were purchasing their products.

O’Donnell then went on to mention that the CMMC is being rolled out in phases. As a result, it is expected that its momentum will only grow as time goes on. The Pentagon already has its first pilot contracts of the year in place. The contractors will be required to have CMMC certification. There are 15 contracts in 2021, but that number is expected to increase to 75 in 2022 and 250 in 2023.

The DoD also has an interim rule that requires all contractors to post a basic self-assessment on their current level of compliance by the end of November. O’Donnell wrapped up by stating that he expects CMMC compliance to become more unified among DoD contractors in the coming months and that this will be crucial in gaining business with the Pentagon.

What Is Carahsoft Doing to Support Security Vendors to Help Compliance with CMMC?

Carahsoft helps various companies build compliance plans with CMMC. They help connect these companies with consultants that can help them prepare for CMMC audits. The hope is that this will help improve CMMC compliance within the supply chain.

Furthermore, O’Donnell mentioned that he believes that compliance starts with knowledge. As a result, several resources have been compiled that should help contractors better understand CMMC. This information includes the details of the CMMC framework.

How Will Compliance Improve Going Forward?

Getting 100 percent compliance will take a long time as there are roughly 300,000 companies in the United States with different levels of compliance in place. Some companies are fully prepared for an audit, whereas others are just beginning their self-assessment. O’Donnell understands that there are several viable approaches to compliance. Some businesses can choose cloud models, whereas others can go with a hybrid model. He wrapped up the interview by stating that his company is in a unique position to help various contractors at different levels of compliance.

Could A Lack of Compliance Cause Issues Going Forward?

While O’Donnell is taking a patient approach to getting all companies compliant, others are worried about current compliance levels. Stuart Itkin, the vice president of CMMC and FedRAMP Assurance for Coalfire, spoke on this topic on Federal Tech Talk with John Gilroy. His biggest concern is that some companies think they will be acquired before they are compliant. As a result, they may not need to spend time becoming compliant. This could result in serious segmentation in your practice areas if you acquired one of these companies. So, while O’Donnell is patient in his approach, it could lead to significant problems down the road.

Organizations Seeking Certification (OSCs) can learn about the CMMC’s five maturity levels and processes within the 17 capability domains on GSec’s Website.

By: Alex O’Reilly