Bill Solms, President and General Manager for the QOMPLX Government Solutions Division, wrote ‘Where to start and how to go forward with CMMC preparation’ for Washington Technology. As CMMC certification becomes a necessity for bidding on DOD contracts, preparing for- and obtaining certification is critical.
The CMMC certification was created to combat the rise of cybercrime, which can lead to the loss of billions of dollars annually: up to $600 billion globally, and between $57 billion and $109 billion from the U.S. economy in 2016 alone. Within the government space, contractors and subcontractors are common targets. Under CMMC, they would be required to be certified as "cyber secure" in order to bid on contracts from the U.S. Department of Defense.
“CMMC draws from a few existing certifications—NIST 800-171, CIS Controls, DFARS -- and helps contractors understand the policies and procedures that need to be revamped. It is an important first step to take a pre-assessment prior to meeting with auditors to understand their organization’s current state of CMMC readiness.”
– Bill Solms, President & GM, QOMPLX Government Solutions.
Solms notes that it is essential to prepare for certification. As self-assessments are not used for CMMC, a third-party audit must take place. “Under the updated plan, the CMMC-AB is responsible for identifying, training and certifying third-party auditors to conduct physical audits. These auditors will make the final decision on whether a contractor has met the controls required to receive their certification,” he writes
While COVID-19 has complicated the roll out of CMMC, Solms says any delays in the program should and likely will be temporary. “The ... necessity to institute more transparency and due diligence in cybersecurity for government contractors of all sizes is something that cannot and should not wait.”