CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ]

October 13, 2020

Good afternoon, everyone!

I listened to a live webinar last Wednesday which included Ben Tchoubineh, a CMMC Accreditation Board member, and I wanted to share with you a few key points I jotted down:

"The time to prepare is now."  Boy, this one phrase is getting a lot of air time.  You see, the clue is in the name -- we are talking about the cyber security MATURITY model certification, and a lot of emphasis is being placed on maturity.  You need to start developing and institutionalizing your practices NOW, even if you won't be getting certified for another year or two or three.  During  an official assessment, you will need  to demonstrate:

Repeatable processes, following organizationally-approved policies, performed over a significant time frame.

This is even for Maturity Level One (ML1)! At ML1, the policies don't have to be written down, but they have to be formulated and followed.  At ML2 and up, policies must also be documented.

He made a point of saying "This is why the CMMC has practices, not controls."  The 800-171 document identifies controls.  The CMMC focuses on practices, the holistic view of the controls and how they are implemented, within the context of your maturity level.

"Start with a gap analysis."  One of the questions from the audience was "where do we begin?"  The answer:  start with a gap analysis.  Designate a point person to learn the CMMC practices and processes, and have that person perform a gap analysis.  What does this mean? Wikipedia says:

"Gap analysis involves determining, documenting and improving the difference between business requirements and current capabilities."

If you are still stuck, I highly recommend using the NIST Cyber Security Framework (NIST CSF) as your starting point.  You can learn how to get started using the NIST CSF for  your gap analysis in my work(fromhome)shop on October 28.  Details and registration online here

Primes, start talking to your subs.  Prime contractors need to start querying their subcontractors about their cyber security posture.  You need to examine the data that flows down to your subs, and help them identify which ML they will need to achieve.  Unless they provide only COTS, most of them will need at least ML1. 

A final thought.  When answering the question "what are the most common things you have seen doing gap analyses?" the answer was "when cybersecurity is not a part of the culture of the business." 

So make certain that cybersecurity is an important part of the culture of YOUR business!

Have a great week!

Remember, you can read past updates on our website, along with tons more information under the Resources tab.

Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass (CMMC-RP)
The Net Effect, LLC
251-433-0196 x107

PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!

The Net Effect, LLC is a CMMC-AB Registered Provider Organization(TM)

TNE. Cybersecurity. Possible.

Speak with an Expert


The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy