Darren Van Booven, lead principal consultant at Trustwave and former CISO of the U.S. House of Representatives, shares his insights on CMMC and guidance for organizations in this Q&A.
Who falls under the scope of CMMC?
If you touch the Department of Defense at all, or sell to them in any way, or sell to a prime contractor that sells to the Department of Defense, you’re going to be in scope of CMMC.
There are a lot of companies who may not be thought of as defense contractors in the classical sense—like the Lockheed Martins and Northrop Grummans of the world—that will be in scope. Many of the larger organizations that are out there in the technology world that provide software or services that the DoD leverages are going to fall into this bucket.
What guidance can you offer to organizations on CMMC?
The questions I get the most are from organizations who know what CMMC is, but don’t necessarily know how it will affect them, and what they should be doing now. So, the guidance I would offer is threefold:
You need to know what level you should go after. The way you do that is to understand what kind of information you are storing or generating as part of your contract, whether it’s Federal contract information or controlled unclassified information. That is what drives the level of certification you’ll need. If your organization doesn’t know the answer to that question, work with your contracting officer to understand it.
Once you understand what kind of data you have, you need to understand who touches that data. What contractors and subcontractors have access to it? The reason to do that is that it will help you establish your certification boundaries. Organizations might be doing a lot of federal business, but not a lot of DoD business, and it will be more beneficial for them to limit their CMMC certifications appropriately.
Finally, it’s a matter of what you can prove. Your assessors will ask for evidence proving that you are following the proper practices. Evidence can include in-person interviews, documentation, or testing. You will need evidence from at least two out of the three types, and your assessor has to get that information from people who are actually doing the work. So, organizations need to be ready to for that and it will be extremely time-consuming and unfamiliar for many.
These are all things that organizations should be doing now – so they’re not rushed later on.
###
Comments