This is the second in a multi-part blog series on CMMC. You can find part one (the why, how, and what is CMMC) here.

Part one of this blog series talks about why CMMC is a significant advancement in cybersecurity frameworks. Part two examines how the unique aspects of the CMMC model are especially well suited to the individual needs of the small and medium businesses in the Defense Supply Chain (DSC).

Challenges Causing Slow Uptake of Cyber Framework Adoption by SMB’s

SMB’s operate with very lean IT teams, typically with IT generalists across the team. Even if the SMB is able to have specific cyber expertise on the team, they often wear multiple hats. Managing cyber becomes a reactive, ad hoc process. There is little or no time allocated to strategic and proactive management of cybersecurity. 

Thus, SMB’s often place the management of their IT in the hands of a Managed Service Provider (MSP). This often translates into the MSP being viewed as the source of cyber guidance for the SMB. Unfortunately, it is hard to find an MSP in this space that also provides deep security expertise.

The progressive SMB that begins to look at a framework to adopt often sees a monolithic grouping of well over a hundred controls. The perceived effort to assess against all these controls and remediate the gaps as a single undertaking appears too daunting even to consider and simply unaffordable.

On the surface, mandating a complex cyber model like CMMC for the SMB segment of the DSC appears to be a huge ask for these smaller companies.  How can this possibly work?

The CMMC Model Structure is Perfectly Suited to Address these Challenges

Addressing the challenges mentioned above in reverse order, let’s first see how the CMMC model helps with the perception of a daunting and unattainable monolithic set of controls. 

CMMC groups the controls and process requirements by Maturity Level. This grouping of controls extends across all five levels of security in the CMMC model.

This organization based on Maturity Level provides an explicit structure to implement the mandate across multiple phases and possibly multiple years. The time available to companies to achieve compliance with the model depends on the future awards of contracts they will receive, and CMMC maturity level mandated in each contract. This will ultimately determine the length of time each company has to lay in phasing across the maturity levels of the model.

The next challenge to address is how to implement the CMMC model in an affordable way. Phasing remediation across maturity levels lets a company also carefully manage cost and spend over time. Rather than funding complete remediation in a single step, the cost is spread over multiple time periods, even years.

The Contracts Group, based on their conversations with an organization’s prime contractors, ultimately carries the best knowledge of when the Interim Rule, or actual CMMC mandate, will appear as DFARS in a contract award. This knowledge, combined with phasing by maturity level, can establish the most efficient roadmap that the organization can follow as they achieve the required CMMC compliance.

The organization still needs to be able to afford the cost and time associated with the “Office of the CISO” required when implementing the mandate. This is where SOAR (Security Operations, Automation and Reporting), often thought of specifically in the context of SecOps, also applies to security GRC (Governance, Risk and Compliance).  

There are platforms available that can effectively automate the functions that need to surround the implementation of the CMMC model. In the next blog entry in this series, we will look at creating a virtual Office of the CISO in an affordable way.