How the CMMC is Changing Culture One Company at a TimePosted: February 24, 2021
Note from John: Seems like every time I have a conversation with another colleague or company the topic of CMMC comes up. The Cybersecurity Maturity Model Certification is not going away…for many good reasons. As defense contractors we have to protect our assets, resources and those of our clients. It is in OUR best interest. Here is another great article from Jason Miller.
This is a guest post by Jason Miller, executive editor, Federal News Network.
Let’s set the record straight: The Cybersecurity Maturity Model Certification, or CMMC, accreditation body is not part of the Defense Department.
Of all the misconceptions out there about CMMC, Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield, said that is the one he hears the most.
So 18 months into the CMMC development and roll out, Golden said industry and agencies still need to grasp why this initiative matters so much.
“We’re losing a lot of intellectual property as a country to our adversaries through gaps in cybersecurity practices and maturity throughout the supply chain. And right now, that’s focused on DoD supply chain, but it will very quickly go out,” Golden said in an interview. “If you look at the Air Force, Navy, Marine Corps F-35 aircraft, and then you look at the Chinese J-31 aircraft, and you wonder why those airplanes look exactly the same? You wonder how that happened. That’s the problem we’re trying to fix.”
Golden said the idea behind CMMC, and supply chain security more broadly, is changing one company’s culture at a time.
“As each company does their assessment, they’re going to get a little bit better. And hopefully, the next time they have their next assessment, they’re going to be a little bit better,” he said.
“We’re just going to slowly change the culture, where companies are going to start looking at cyber the way they look at human resources. Most people that start a company are not experts on local, federal and state labor laws. So what do they do? They hire an expert to help set up a HR office to handle all that stuff for them to do everything right to keep them out of jail. Cyber has got to be seen as the same thing. It’s just part of doing business in the modern global enterprise. What we’re trying to do is we’re trying to get the point where people don’t forget about it or whitewash it or whatever the case is, but actually take it seriously as a part of doing business.”
That culture change has to happen with just more than defense industrial base companies. This is why the Department of Homeland Security and the General Services Administration are starting to consider how they can use CMMC.
Click the link below to read the full article and listen to Jason’s interview with Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield: https://federalnewsnetwork.com/cybersecurity/2021/02/cmmc-changing-culture-one-company-at-a-time/.