Cybersecurity Maturity Model Certification, also known as CMMC, is a crucial element to strong cybersecurity plans. It was established to align Defense Industrial Base (DIB) partners with the Department of Defense’s (DOD) information security requirement, which aims to protect Controlled Unclassified Information (CUI). In order to build consistency and create strong cybersecurity implementations, professionals undergo CMMC training that covers a range of relevant topics and enhance the cybersecurity posture of a business.
Recently, I completed CMMC (Cybersecurity Maturity Model Certification) CCP (Certified CMMC Professional) training, which involved roughly 40 hours over the course of a week and covered a multitude of topics including the Department of Defense’s Code of Conduct, CMMC Governance, the CMMC Assessment Process (CAP), how to scope CMMC Assessments, and a thorough review of all 110 practices tied to Level 2 certification. This is a significant step from the DoD to build consistency across a variety of cybersecurity focus areas for its suppliers and will have wide-reaching impact as it goes into effect sometime in 2025 based on latest projections. The bottom line for suppliers is that if you are not compliant, you will not be able to work contracts, potentially impacting tens of thousands of current suppliers.
What is CMMC?
While we addressed the topic above, in general the Cybersecurity Maturity Model Certification (CMMC) is a program established to align Defense Industrial Base (DIB) partners with the Department of Defense’s (DoD) information security requirement to protect Controlled Unclassified Information (CUI).
What is the Purpose of CMMC/CCP Training?
- It allows for enhanced cybersecurity posture of organizations, especially those within the defense industry.
- It works to mitigate supply chain risks by ensuring that contractors and subcontractors have adequate cybersecurity protections.
- CMMC/CCP training ensures that companies are in compliance with Department of Defense (DoD) requirements, and that they protect sensitive information.
- This training prepares organizations for CMMC assessments and certifications.
As a whole, the process of training and certification aids in the development of a skilled cybersecurity workforce. It empowers professionals and organizations to implement and maintain CMMC compliance, not only widening their abilities but also creating a safer cyber environment.
Takeaways
What is the impact of the training?
Initially, this will have a significant impact on current DoD suppliers and even those organizations who support said suppliers (think MSPs, MSSPs, etc)–this statement is undeniable. In addition, the level of effort for suppliers, contractors, and subcontractors to get “assessment ready” and ultimately work towards certification is massive.
While there are cheaper/faster strategies out there, the typical costs and time required to prepare for this process are measured in hundreds of thousands of dollars and months/years. It will likely require substantial culture changes for organization’s that have traditionally been more operationally focused, meaning organizations built on the concept of “getting things done” will have to slow down, understand, document, manage, and monitor change, all while maintaining awareness and control of what systems, people, and other assets are exposed to and transact CUI.
What does the future look like?
The bigger question to me is what will the ripple effect outside of the DoD and/or government space looks like. There is certainly a scenario where certification requirements make their way into the private sector and could impact just about every business out there. CMMC has a strong alignment to the NIST framework, which is already commonly used by companies to build cybersecurity programs. It’s not a significant leap to see some form of CMMC certification for private sector companies as a requirement to do business.
What’s Next?
By the end of this article, you may be wondering –why did I read this? How does it apply to me and my organization?
As a whole, CMMC/CCP training may not seem to initially correspond to your day-to-day, especially if cybersecurity has not been at the forefront of your practices. However, this training, and method of security, provides an increased level of scrutiny over our cyber practices; it forces us as organizations to look closer at our procedures and adjust our actions in such a way that data becomes more secure.
Does this mean that you have to go out tomorrow and become CMMC Certified?
In short, the answer is no. However, utilizing tactics from the training can take your cybersecurity to the next level. Instead of setting aside the time and money to take the training yourself, you can work with a team of professionals who have undergone the certification and can provide adequate guidance in the area.