Search Menu

How the CMMC is Changing Culture One Company at a Time

Small Business Start-Up Infrastructure

9 “Pieces” to Diminish Cyber Risk for Small Companies, Part I

Popular Now
Guest Author
February 24, 2021
Dark Light
Let’s set the record straight: The Cybersecurity Maturity Model Certification, or CMMC, accreditation body is not part of the Defense Department.

Note from John: Seems like every time I have a conversation with another colleague or company the topic of CMMC comes up. The Cybersecurity Maturity Model Certification is not going away…for many good reasons. As defense contractors we have to protect our assets, resources and those of our clients. It is in OUR best interest. Here is another great article from Jason Miller.

© Skorzewiak – depositphotos.com

This is a guest post by Jason Miller, executive editor, Federal News Network.

Let’s set the record straight: The Cybersecurity Maturity Model Certification, or CMMC, accreditation body is not part of the Defense Department.

Of all the misconceptions out there about CMMC, Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield, said that is the one he hears the most.

So 18 months into the CMMC development and roll out, Golden said industry and agencies still need to grasp why this initiative matters so much.

“We’re losing a lot of intellectual property as a country to our adversaries through gaps in cybersecurity practices and maturity throughout the supply chain. And right now, that’s focused on DoD supply chain, but it will very quickly go out,” Golden said in an interview. “If you look at the Air Force, Navy, Marine Corps F-35 aircraft, and then you look at the Chinese J-31 aircraft, and you wonder why those airplanes look exactly the same? You wonder how that happened. That’s the problem we’re trying to fix.”

Golden said the idea behind CMMC, and supply chain security more broadly, is changing one company’s culture at a time.

“As each company does their assessment, they’re going to get a little bit better. And hopefully, the next time they have their next assessment, they’re going to be a little bit better,” he said. 

“We’re just going to slowly change the culture, where companies are going to start looking at cyber the way they look at human resources. Most people that start a company are not experts on local, federal and state labor laws. So what do they do? They hire an expert to help set up a HR office to handle all that stuff for them to do everything right to keep them out of jail. Cyber has got to be seen as the same thing. It’s just part of doing business in the modern global enterprise. What we’re trying to do is we’re trying to get the point where people don’t forget about it or whitewash it or whatever the case is, but actually take it seriously as a part of doing business.”

That culture change has to happen with just more than defense industrial base companies. This is why the Department of Homeland Security and the General Services Administration are starting to consider how they can use CMMC.

Click the link below to read the full article and listen to Jason’s interview with Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield: https://federalnewsnetwork.com/cybersecurity/2021/02/cmmc-changing-culture-one-company-at-a-time/.

Related posts:

  1. Cybersecurity in Government Contracting – 2020 and Beyond
  2. Top 5 Cybersecurity Tips for Government Contractors
  3. Five Ways to Create a Revenue Culture
  4. How Section 1611 of the NDAA Will Help Supply Chain Businesses
  5. How to Stand Out in Cybersecurity
Related Posts

The All-Small Mentor-Protégé Program

SBA had a well-established mentor-protégé program (MPP) for SBA 8(a) certified firms but lacked an MPP program for other small business concerns and specifically, one for specialized certified concerns such as WOSB, EDWOSB, SDVOSB, & HubZone. The 2010 Jobs Act and 2013 NDAA gave SBA the authorization to address this by establishing an all-encompassing mentor-protégé program. Ms. Sandi Clifford, deputy director of the All Small Mentor-Protégé Program (ASMPP), visited the Mid-Tier Advocacy (MTA) earlier this year to discuss the program. Here are some of the highlights of this candid and informative discussion: As Ms. Clifford explained, mentor services to protégés include: • Management and technical assistance (internal business management systems) • Financial assistance (in the form of equity investments and/or loans) • Contracting assistance (contracting processes, capabilities acquisitions and performance) • International trade education (learn how to export, international trade business plan, finding markets) • Business development assistance (strategy, finding contracting and partnership opportunities) • General and/or administrative assistance (business processes and support) As administrators of the program, SBA provides: • Central HQ as opposed to 8(a) distributive model • Online application – certify.sba.gov • Online course tutorial requirement • Annual review and evaluation • Template agreements, i.e., MPA (Mentor-Protégé Agreement) Other All-Small Mentor-Protégé Program (ASMPP) details: • A protégé may generally only have one mentor at a time; SBA may approve a second (two is the maximum) where no competition exists, or if the protégé registers under a new NAICS or otherwise requires new mentor skills.  • Both protégé and mentor must be for-profit (with exception of protégé being an agriculture cooperative). • A mentor may have no more than three protégés at same time (no lifetime limit). • A participant can be both a protégé and mentor at the same time, if there is no competition or conflict. • The ASMPP is self-certifying and is open to businesses who qualify as small in their primary NAICS code, or who are seeking business development assistance in a secondary NAICs where they also qualify as small.  • SBA will not authorize MPAs in second NAICS in which firm has never performed any work; or where firm would only bring “small” status to Mentor and nothing else. • Existing 8(a) firms in last 6 months of the 8(a) program may transfer their MPA to the ASMPP via the online application process. Coordinate with 8(a) office to fine tune the process but there is no reapplication required. • Application requirements include upload of business plan, but no financial statements or tax returns. • JV agreements: ASMPP will not review and approve joint venture agreements. How to apply for the ASMPP: • Applicants are required to register in the System for Award Management (SAM) prior to submitting their mentor/protégé application. • Complete your business profile in certify.SBA.gov. • Evaluate and select your mentor prior to applying. This is not a matching program. SBA will not find a mentor for you. • Begin the ASMPP application process. • Protégés and mentors must complete the online tutorial and have their certificate of completion and all other required documents ready for upload Thank you to Sandi Clifford, Deputy Director, All Small Mentor-Protégé Program, for this helpful overview. TAPE has mentored several small businesses over it’s life as a large business (we’re large in some NAICS codes, though still small in others) and it has been gratifying, satisfying, and integral to our success. As protégés ourselves, we have benefitted from working with some really classy large businesses, and have also had the experience of being a protégé and really getting no tangible benefits. We are currently working with two small businesses, and negotiating ASMPP agreements. You can learn more about the ASMPP on the SBA site. To join MTA and attend future events like this one, please visit www.midtier.org.
Bill Jaffe
August 23, 2017
css.php