Brian O’Donnell, vice president of Cybersecurity Solutions at Carahsoft, recently took part in a Q&A session with ExecutiveBiz regarding the Cybersecurity Maturity Model Certification (CMMC), which is meant to improve the overall cybersecurity posture of the defense industrial base and supply chain.
In addition, he discussed the path to compliance for suppliers, particularly considering each company is in a different place in the CMMC journey.
“We believe compliance starts with knowledge, so we’ve been compiling lots of great resources for contractors looking at CMMC. This information includes details about the CMMC framework, its five maturity levels, and the processes and practices within the 17 capability domains (e.g. access, control, configuration management, incident response, etc).”
You can read the full Q&A session with Brian O’Donnell below:
ExecutiveBiz: Lots of our readers are tracking the CMMC program. What do you expect to see over the next few months?
“I’ve been following the CMMC program closely from the outset, and we’re starting to get some more specifics from the federal government. For those less familiar, CMMC is a cybersecurity framework focused on improving the cybersecurity posture of the defense industrial base.
Before the program, contractors were in charge of their own cybersecurity, and the DoD had no way to validate the cyber maturity of the suppliers they were buying goods and services from at the time.
Now, CMMC creates a process where compliance is validated by third-party assessment organizations, allowing the DoD to trust that their sensitive information is protected. CMMC will be required for all DoD contracts by September 30, 2025.
CMMC is being rolled out in phases, which means momentum is only going to continue to grow. The Pentagon has already identified its first pilot contracts for 2021, which will require awardees to have the required CMMC certification. The number of contracts is supposed to jump from 15 in 2021 to 75 in 2022 and 250 in 2023.
Last year, the DoD issued an interim rule that required contractors to post a “basic self-assessment” concerning their current level of compliance with the practices of NIST 800-171 by the end of November.
This year, the CMMC language has been included in the 2021 National Defense Authorization Act, while DoD and GSA are reviewing reciprocity with FedRAMP. Add it up, and the defense industrial base has no time to waste with regard to compliance.
In the coming months and years, CMMC compliance will represent a unified cybersecurity standard for DoD contractors and will be critical to winning business with the Pentagon.”
ExecutiveBiz: What is Carahsoft doing to support its security vendors who can help with CMMC compliance?
“We help organizations audit their environment against the processes and practices of CMMC and build a compliance plan. As a trusted distributor, we connect organizations with service providers and consultants who can help them prepare for a CMMC audit.
As gaps in compliance are identified, we then identify the services, training and technology that will best remediate those gaps. On top of that, we provide news, educational material, events and other resources to help organizations gather information and make decisions related to CMMC.”
ExecutiveBiz: What information is Carahsoft aggregating on its CMMC site?
“We believe compliance starts with knowledge, so we’ve been compiling lots of great resources for contractors looking at CMMC. This information includes details about the CMMC framework, its five maturity levels, and the processes and practices within the 17 capability domains (e.g. access, control, configuration management, incident response, etc).
Visitors can click on each capability domain and explore vendor technologies that address a specific control family. For example, there are 17 Carahsoft vendors who can assist with the Risk Management capability domain.
The Vendor View is designed to help the defense industrial base optimize existing or new technology purchases for CMMC compliance. Visitors can search by vendor to see what capability domains each vendor is linked to. Most Carahsoft cybersecurity vendors can assist with multiple capability domains.
It’s worth noting, too, that the initial implementation of CMMC will only affect DoD contracts. However, civilian agencies are also evaluating the use of CMMC. In fact, many are already using its language in contracts as well. Thus, this information may be useful to civilian agencies as well.”
ExecutiveBiz: What is the path to compliance for the defense industrial base?
“The target market is large and diverse. Defense contractors of all sizes with varied business models are on the path to compliance—about 300,000 companies around the U.S. Every organization is in a different place. Some organizations are fully prepared and waiting for their audit. Some organizations are just getting started with self-assessment and building their plan for remediation.
Every organization will take a different approach to compliance. They can choose cloud, on-prem or hybrid. They can choose in-house or managed services or hybrid. They can choose an enclave or all-in. You get the idea.
Because we partner with such a wide range of vendors, we are in a unique position to help contractors identify the right technology based on their existing tech stack and maturity level.”