I am a problem solver by nature. I enjoy recognizing a challenge and figuring out how to solve it. Whether I was writing software or managing a project, I’ve figured out that I enjoy problem solving.
However, in my personal life, I’m not a big fan of change. It can be unnerving and unsettling and I appreciate the structure of my established routines.
My pastor said something that challenged my perspective on change and actually resonated with me.
“Change is not difficult;
it is just different.”
Michael A. Freeman
Wow, how profound! Change then is an opportunity to rise to the occasion and do something different. It may certainly be difficult to make the necessary adjustments but the difficulty isn’t the issue so much as it is the fact that you have to learn to do something differently.
In that vein, the DOD cybersecurity maturity expectations for government contractors (aka CMMC) are not difficult. They are just different. Different from what we are used to. Different from what we have been doing. No longer can you just self attest to meeting cybersecurity requirements (like you can with NIST 800-171).
The fact is, the recent SolarWinds hack and the current Microsoft Exchange Zero Day vulnerability demonstrate that cybersecurity readiness is critically important to your organization and to the nation’s defense.
So accept the challenge (if for no other reason than you have to) and start making a plan to develop the maturity required by CMMC. I didn’t say make a plan to get the certification because that is short sighted and will not work. It’s the difference between developing a plan to obtain a trophy for a race you have never run vs. developing the discipline to run and win the race and obtain a trophy afterwards.
So how do you start?
With regards to CMMC, I would suggest you:
- Start by getting familiar with the standard. The DOD Acquisition Office has published v 1.02 of the CMMC here.
- Read up on the latest going on in the industry. Given the newness of the standard, there are constant updates being put out. You can check out the Aronson CMMC Advisory Insights, or reputable news sources like NextGov or Federal Computer Week.
- Establish your baseline – conduct a self assessment against the standard or get assistance from a CMMC-AB Registered Provider Organization (RPO) like Aronson to perform the assessment for you.
- Begin addressing gaps including establishing mature repeatable practices.
If you need a partner to assist you on your organization’s journey to cybersecurity maturity, contact Aronson. We have a number of services that can be tailored to address your specific needs.
Remember, “change is not difficult; it is just different”.
Ready or not, CMMC is coming. The question is how prepared will your organization be to meet this challenge?
