Tag Archives: CMMC

New Cybersecurity Regulations ‘On Track’ Despite Virus



Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition, said CMMC is still on track despite hurdles created by the ongoing COVID-19 pandemic that has roiled the world.

“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”


“Work on the Defense Department’s highly anticipated set of new cybersecurity standards — known as the Cybersecurity Maturity Model Certification version 1.0 — is still on track despite the ongoing COVID-19 pandemic, said an official in charge of the effort April 22.

The new rules, which the Defense Department rolled out earlier this year, are meant to force the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The rules will eventually be baked into contracts, and the Pentagon had targeted including them in requests for information as early as this summer on pathfinder programs.

Under the plan, CMMC third-party assessment organizations, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts. CMMC features different levels, with the level 1 standards being the least demanding and level 5 the most burdensome.

“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”

The Pentagon is working on ways around that, she said during a webinar called “Protecting Small Business in a COVID-19 Environment” hosted by Project Spectrum, which is part of the Cyber Integrity Initiative and is supported by the Pentagon’s Office of Small Business Programs.

“We’re still on track,” she said. “We’re still doing the pathfinders. We’re working through those. We’re still on target to release some initial RFIs in June with the CMMC in it so we can all kind of get a feel for it.”

Additionally, the Pentagon still plans to get the first class of C3PAOs rolling out in late May or early June, she said.

The biggest sticking point will be conducting in person audits, as is required, Arrington said.

“Until we get the directive from the president and from Secretary [of Defense Mark] Esper with the DoD we have our stay-at-home orders,” she said. However, “the work hasn’t stopped and we’re still doing our absolute best to stay on track.”

Last week, speaking during a Bloomberg Government webinar, Arrington said potential delays of a couple of weeks would be insignificant to the overall program. 
“A two-week push on something is not going to … have a massive impact to our rollout of this,” she said. “I don’t think it’s going to be impactful to the schedule. I think maybe we’ll have a two, three week slip on actually doing the first audits, the pathfinders, but nothing of significance.” Auditors may have to wear masks or social distance while conducting their work, she said.

Meanwhile, Arrington noted that businesses should consider implementing the first level of the CMMC requirements now to protect themselves as more employees in the defense industrial base work from home.

“CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure,” she said. “Waiting isn’t an option for any of us right now.”
 She also stressed the importance of good cyber hygiene, and recommended that employees frequently change their passwords and be mindful of spearphising attempts. 
“Do your best to be diligent and remember that … the weakest link is where the adversary will come in,” she said. “Don’t be the weakest link.”

Nathan Magniex, a senior cybersecurity expert at Project Spectrum, also noted during the webinar that contractors should be wary of conducting meetings on the popular video platform Zoom.

“I would not use it as a business owner,” Magniex said. “There are certain red flags. There are connections with China that are concerning especially for the defense industrial base.”

Project Spectrum recently released a white paper on potential security risks with Zoom which said, “Zoom’s numerous vulnerabilities are not unique to them because every software company and application has them. Zoom’s links to China, however, are particularly concerning because those links expose the DIB and its supply chain, thus jeopardizing American innovation, IP and proprietary information.”

Project Spectrum recommended Cisco Webex, Facebook Workplace, Google Hangouts, GoToMeeting and Microsoft Teams as potential alternatives.”


Small Business Focus – Cyber Security Maturity Model Certification (CMMC)

Image: DAU.edu


Forthcoming cybersecurity controls are designed to help DoD and small business work together to protect sensitive data and help industry comply in a fairer way depending on the types of systems they’re asked to defend.


“Small businesses are increasingly being targeted digitally by nation states, according to Department of Defense officials, who say more must be done specifically to evaluate and reinforce the security of contractors battling cyberattacks.

“We’re losing,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber within the office of the undersecretary of defense for acquisition and sustainment, speaking Oct. 7 at an AFCEA-hosted event.

Arrington explained that adversaries cost the country $600 billion a year and that, with 5G on the horizon, that amount must be multiplied by “umpteenth” in 2025 given the near-unlimited bandwidth for cyber campaigns technology promises. As a result, Arrington said, the forthcoming cybersecurity maturity model certification (CMMC) was designed specifically for small businesses.

The CMMC is a framework that grades company cybersecurity on a scale of one (least secure) to five (most stringent). What small businesses will be asked to do is comply with a tiered rating system depending on the systems they’ll be working on.

What this means is if a company is working on janitorial services, they may only need to comply with level 1 of CMMC as opposed to level 3, which is equivalent to NSIT 800-171 regulations, or level 4 that is reserved for exquisite systems.

In the past, there was a two-tiered system for small businesses to be compliant, Arrington described. A company could be compliant with 80 controls under NIST 171 and have a Plan of Actions & Milestones (POA&Ms) to do the other 30, while another company could be doing all the 110 controls and both are technically acceptable.

“That isn’t right, because our adversaries aren’t taking a cup of coffee and saying, ‘I’m going to come back to you when your POA&M is done,’” said Arrington. “They’re walking through those POA&Ms like they’re Swiss cheese.”

As a result, Arrington made the case that the CMMC is really about leveling this playing field and protecting sensitive systems that require additional cybersecurity controls.

Some have noted that these new requirements, while meant to protect the defense industrial base against loss from external forces, could hit smaller companies harder within the market.

“This would have severe unintended consequences on small businesses that do not have the resources and sophistication to obtain a high CMMC level, producing market entry barriers and limiting competition,” the Professional Services Council said in a Sept. 25 letter to DoD following the September draft release of the CMMC.

“Until we see the whole scope of who it’s going to apply to and why it’s going to apply to them, it could impact a lot of small companies,” Alexander Major, partners and co-leads for government contracts at McCarter & English LLP, told FCW following the same draft release.

Major’s co-lead, Franklin Turner, also told FCW that Arrington’s assertion that the CMMC would cost only a few thousand dollars is “utterly foolish,” adding it would “likely be an impediment” for small companies.

However, as Arrington and others have pointed out, top nation states are targeting these smaller companies, necessitating the initiative. Trying to sympathize with the audience, Arrington touted her background contracting with utilities, water and weather services where she herself was guilty of poor cybersecurity practices as a program manager.

“I knew where the weather was, the water was and the electric was. It was all on my laptop,” she said.

She did much of her work at coffee shops because, “I needed to network and I needed to communicate with my peers to drive new business and I needed to be seen, because as a small business you have a lot of people who telework from home.”

But even using a VPN to tunnel into work accounts has the potential to be exploited, Arrington acknowledged. “I was taking everything around me in the pipe.”

Recent events have put a spotlight on the fact data doesn’t have to be classified to be sensitive. Several Navy breaches — largely attributed to China — targeted contractors that were determined to have information that wasn’t itself classified, but in aggregate disclosed sensitive capabilities. It is the increase in campaigns to exploit a higher percentage of lower-level vulnerabilities that the CMMC framework addresses.

“Our adversaries are not trying to get at us at the … top of the nuclear triad,” said Arrington. “You don’t have the aperture to defend yourself against a nation state and we don’t want you to. I need to be able to help you protect us because when 80 percent of my data lives on your network, it’s no longer a you or a me — it’s a we thing. This is a we problem.

“I need to know exactly what I’m asking you to protect and at what level. Right now, you’re all just doing a bunch of different disparate things, but there’s not a level set. [Cybersecurity] controls do not equal requirement,” Arrington continued.

It is expected that in fall 2020 CMMC requirements will be included in requests for proposals and will be a go/no go decision.”


DOD’s CMMC Standards for Contractors Coming This Week

Image: cmmcaudit.org


The Department of Defense’s new cybersecurity certification standards for contractors are officially arriving later this week, and the plan is to have about 1,500 companies certified by next year as the requirements start to pop up in contracts, officials said Tuesday.


“For now, the program’s newly formed certification board is preparing to train and certify assessors, but it does not have a projection as to how many of the cybersecurity specialists will initially be available and when, board member Mark Berman said. The board, a nonprofit, is housed outside of DOD.

The Cybersecurity Maturity Model Certification process will subject all DOD contractors to third-party cybersecurity assessments, with the goal of protecting the military’s entire supply chain. The program is replacing the DOD’s current reference document — the National Institute of Science and Technology’s standards for cybersecurity — with a five-level rating system.

The vast majority of contractors will need only to meet the first level, but even that level of accreditation will still require an in-person assessment by a certifier, officials said.

Industry must move away from self-assured “checklist” security and have continuous security principles baked into its work, said Katie Arrington, special cyber assistant to the assistant secretary of defense for acquisition who has led the creation of CMMC.

“CMMC is meant to create critical thinking around cybersecurity,” Arrington said during an explanatory event Tuesday hosted by Holland and Knight.

The move away from self-certification is one of the major changes that will appear in the finalized CMMC model after the department has circulated several rounds of drafts and parts of the plans in the past months. Arrington and others admitted the existing reliance on self-certification has been a failure with defense technology being stolen by adversary nation-states and criminal organizations alike.

“They are done because they have not worked,” Arrington said of self-certifications.

Implementing CMMC will be a “team sport,” Ty Schriber, another accreditation board member, said during the panel discussion.

Despite large pushes from Arrington and others to get the word out in Washington, D.C., and on listening tours around the country, a recent study found low recognition of the program from defense contractors. Only a quarter of surveyed defense contractors could accurately identify what CMMC stands for.

The DOD projects a slow rollout of CMMC into contracts but hopes the transition will be smooth as businesses realize the threat from cyberattacks. Arrington assured contractors that the government will work “hand-in-hand” with companies as they start the certification process and encounter contracts with the new requirements.

U.S. allies are also being brought into the discussions, Arrington said. The United Kingdom, Sweden, Canada and others will be incorporated into the model to continue partnerships on defense technologies, Arrington said.”

Prepare For Cybersecurity Maturity Model Certification (CMMC)



“CMMC is going to be law of the land. CMMC requirements will begin showing up in presolicitation documents around June 2020, and in the corresponding requests for proposals in September.


“It’s a new year — and a new cybersecurity regime for vendors working on defense contracts is coming.

The Defense Department has been steadily working on its new unified standard, the Cybersecurity Maturity Model Certification (CMMC), and is expected to release a final version and a list of accrediting bodies in January. But while companies shouldn’t wait until things are finalized to prep for certification, many are stuck.

“CMMC is going to be law of the land,” Corbin Evans, the director of regulatory policy for the National Defense Industrial Association, told FCW, yet “folks are a little hesitant to make any major moves.”

Evans said a proposed rule to amend the Defense Federal Acquisition Regulation is expected this summer to solidify language and regulatory authority to include CMMC to contracts and that it’s possible “they may try and stretch and amend the FAR itself.”

He added that many of NDIA’s 1,600 corporate members haven’t determined where they fall in CMMC or what level they will seek. 

One of the most prominent concerns at this early stage is the reliability of auditors. Like with any certification, it’s important that CMMC have metrics that are consistent across the board.

DOD recently announced that Ty Schieber, the senior director for executive education at the University of Virginia’s Darden School Foundation, will head a 13-member governing body for the organization charged with certifying auditors.

A DOD spokesman told FCW that CMMC requirements will begin showing up in presolicitation documents around June 2020, and in the corresponding requests for proposals in September.

Eric Crusius, partner at Holland & Knight who focuses on government contracting, said CMMC could discourage businesses “that don’t want to get into a new certification requirement” — especially those with emerging technologies. He’s also worried that the DOD could use the requirements to “artificially limit competition,” he said during a Jan. 7 webinar on CMMC hosted by NeoSystems.

“If their favorite contractor has a level four, even if it’s level three work, maybe [DOD will] set the RFP at a level four to kind of get those other contractors out of the way,” Crusius said.

Higher certification levels could also be seen as a way for DOD officials to protect themselves, he speculated.

“DOD officials, agencies may be just as worried and want to have the best of the best as far as cybersecurity compliance goes,” Crusius said, and “artificially make [a proposal] a level four when it’s really only called for a level two, not necessarily because they want to limit competition but just want to protect themselves.”

What to expect

“What’s different here is that it’s not a self-certification anymore; it’s a third-party validation,” Alan Chvotkin, executive vice president and counsel of the Professional Services Council, told FCW said.

Cyber assessments from different auditors that are unequal to one another is a worry for Chvotkin because it could affect whether the accrediting body and each certifier is respected and reliable. Almost like getting an appraisal, the ideal is that there would be little to no variation regardless of who certified it. 

“It’s not from a company standpoint, it’s what metrics, training, processes assessors will use. How do you validate?” Chvotkin said.

The establishment of the accreditation body as well as the release of the final version of CMMC are expected in January. But companies shouldn’t wait, he said.

“Companies should already have some level of compliance,” Chvotikin said. Companies with government contracts should start preparing now, he suggested, using the latest CMMC draft as a guide.

“I’d be very surprised if 1.0 is substantially different than 0.7,” Chvotkin said. “If I had a single message, [it’s]: Don’t wait until the final is done and all the Is are dotted and Ts are crossed to get started.”

Another reason to prepare early is that CMMC will likely be adopted by federal civilian agencies in the future.

“While the civilian agencies have not glommed on to CMMC, if it’s successful, they’re not going to be far behind,” Chvotkin said. “They’re looking at ways of doing something similar,” as many have already adopted the NIST standard.

Johann Dettweiler, director of operations at Talatek, a certified auditor for the Federal Risk and Authorization Management Program, said on the NeoSystems webinar that writing things down is the first step.

“Even if you’re trying to achieve level one, there’s nothing wrong with getting stuff down on paper, starting to develop practices, policies, procedures, and, and getting those out to all your personnel so they’re aware of them,” he said.

But while preparing for CMMC might seem daunting, Dettweiler said it’s okay to be imperfect.

“You don’t have to be perfect, but just basically give it the best shot and then help and rely on the auditors to help you out further,” Dettweiler said. “If you have failings, you’re not meeting some of the requirements, that doesn’t necessarily mean that you’re not going to achieve the certification level you’re after. There’s always a process.”

Right now, there’s no requirements for certified auditors, which could delay implementation, Dettweiler said.

“The accreditation body hasn’t been selected yet, which means there’s no requirements for certified auditors,” he said. “If they’re already looking as early as June to start issuing certification levels for the RFI, that’s maybe a little bit — probably not true in their actual timeline.”

“However, that doesn’t mean that you shouldn’t get started on this. All the information you have out there is there to get started on working on this.”


Every DOD Contractor, Large Or Small Required To Be CMMC-Certified in 2020



Every contractor, large and small – prime and sub – will be required to be CMMC-certified in 2020. Cybersecurity maturity will be the fourth critical measurement along with cost, quality, and schedule.

This compliance model will ultimately define cyber standards across several maturity levels that range from basic cyber hygiene to advanced cyber maturity.


“Cybersecurity continued to be front-page news in 2019, as ransomware threats rose and government systems nationwide were increasingly targeted. From the largest hospital in New Jersey to some of the nation’s most prominent cities, cyber systems that deliver essential services were subjected to disruptions and losses caused by adversaries wielding sophisticated ransomware such as Ryuk, REvil, BitPaymer, etc.

The Department of Defense is adding some muscle to the fight. In recognition of growing threats and increasing weaknesses in its supply chain, the DoD has published draft guidelines, the Cybersecurity Maturity Model Certification 0.7 (CMMC), for its more than 300,000 defense contractors – before full implementation in January. 

What does this mean for defense contractors aiming to meet CMMC criteria in the new year? Simply put – start now.

Forward-leaning defense contractors who prioritize cybersecurity readiness should initiate these three preparatory steps even before year-end:

  1. Inventory current cybersecurity practices and protocols against the CMMC 0.7 version that spells out criteria for Levels 1-5 certification.

Level 1 is the foundational layer that sets out the basic cyber hygiene practices that contractors must meet, and which upon all other Levels are built.

Beginning at Level 2, intermediate cyber hygiene practices are established, allowing the organization to more effectively respond to cyber threats. Additionally, level 2 introduces the process maturity dimension of the framework, requiring organizations to have standard operating procedures, policies, and plans for all practices.

To achieve Level 3 and beyond, contractors must implement effective controls that meet many of the security requirements of NIST SP 800-171 Rev 1, including for contracts that require access to or generate controlled unclassified information (CUI). Proper endpoint detection and response capabilities, antivirus software, and overall good IT hygiene will help achieve this status. 

The new NIST SP 800-171b draft will help address levels 4 and 5. However, even at Level 5, the DoD model indicates that companies will only then have the capability to optimize capabilities in “an attempt to repel” advanced persistent threats (APTs). Clearly, today’s threat environment is rapidly evolving and growing more sophisticated. Maturity frameworks like the CMMC must evolve as well.

  1. Identify gaps and plan improvements in processes and practices to achieve readiness for third-party CMMC assessment.

This step means looking across every company platform for material weaknesses that can be exploited by bad actors. Oftentimes, this can begin with auditing past security missteps and holes in protection from legacy systems. The methods to protect networks that agencies have employed in the past may no longer serve their intended purpose – now is the time to implement a fresh approach to improving organizational security posture.

Research shows that attackers are quick to target smartphones and endpoint devices – in short any connected devices that are generally less protected than government computers. CrowdStrike’s 2019 Mobile Threat Report found a diverse array of adversary groups are increasing attacks on mobile platforms.

  1. Last, and most important, evaluate where your company is on the road to process maturity in each of the CMMC domains.

Each domain requires meeting the appropriate process maturity standards for every level beyond basic cyber hygiene. Most domains are familiar and range from access control, risk management, awareness and training, asset management, recovery, and situational awareness.

Establishing readiness in each of the domains, however, means taking a comprehensive approach to tasks your organization will be carrying out as part of a federal contract.

CrowdStrike studies show that organizations are largely underprepared for new cyber threats. In a recent survey of 1,900 senior IT decision-makers, analysis found U.S. organizations take an average of 101 hours to detect, triage, and contain a data breach. This translates into over four days of round-the-clock work. Remember, the gold standard to combat sophisticated cyber threats is the 1-10-60 benchmark: detect an intrusion in under one minute; perform a full investigation in under 10 minutes; and, remove the adversary in under 60 minutes.

The adoption of frameworks like 1-10-60 and other proactive security technologies, processes, and techniques are critical to getting in front of the ever-changing cyber landscape.

Cybersecurity technologies that harness the power of the cloud, machine learning and artificial intelligence to rapidly detect, prevent, and remediate threats are all critical to shutting down today’s stealthy adversaries. Leveraging these modern tools will also help to achieve the level of cybersecurity maturity that will soon be mandated by the DoD via the CMMC standards.

The bottom line is that CMMC is a vital new DoD initiative, one that is essential to carrying out the important work of the defense industrial base, who in partnership with the government are charged with carrying out a very complex and extremely important mission.

Resolve to start now on a New Year’s resolution to achieve CMMC readiness.”


DOD Mandates Contractor Cybersecurity Maturity Model Certification (CMMC) In 2020


“WASHINGTON TECHNOLOGYBy Chor-Ching Fan, David Trout

DoD’s CMMC cyber compliance program rolls out in January 2020 and all defense contractors need to prepare. 

By understanding CMMC requirements, taking advantage of cyber assistance programs, engaging guidance from compliance experts, and leveraging a cloud-based compliance application, small and mid-sized contractors can become CMMC compliant with fewer disruptions and less cost.


“The Department of Defense recently announced that contractors who provide products and services for the defense supply chain will be required to comply with the Cybersecurity Maturity Model Certification (CMMC) process beginning in 2020. This new security standard is designed to ensure that contractors have appropriate security measures in place and begin to prioritizing security with equal weight compared to quality and safety. Because CMMC compliance will be critical to winning business with the Pentagon, DoD contractors need to understand what CMMC is all about.

CMMC Certification Levels and Controls

Representing a unified cybersecurity standard for DoD contractors, CMMC combines a selection of security controls from NIST SP 800-171A, SP 800-181B and potentially other frameworks such as NIST SP 800-53 and ISO 27001. CMMC compliance will be certified by third-party auditors, rather than through self-certification as was allowed for NIST SP 800-171. To address the range of DoD contractors, CMMC comprises five levels of cybersecurity ranging from basic cyber hygiene at Level One to advanced security operations at Level Five for highly sensitive defense assets. 

CMMC pyramid

CMMC’s risk-based framework allows a more nuanced application of DoD cyber defense requirements based on the amount of Controlled Unclassified Information (CUI) being handled or processed.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, has stated, “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1 percent of [Defense Industrial Base (DIB)] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Choosing the appropriate CMMC level is critical and all defense contractors must achieve at least Level One certification. Contractors failing to meet any item required for a level certification will be certified at the level below it. For example, failure to meet all required security controls for Level Three would result in a certification for Level Two, effectively barring a contractor from bidding on an RFP with Level Three or higher specified in Sections L and M.

CMMC Third-Party Audits

Under previous NIST SP 800-171 regulations, DoD contractors had the option to self-certify. Any security gaps that were identified were noted in a Plan of Actions and Milestones (POA&M), allowing a contractor to continue to provide products and services without achieving compliance with all 110 security controls. With CMMC, self-certification is no longer an option. In addition, POA&Ms are no longer allowed, which means contractors have to address weaknesses in order to achieve compliance and certification. The DoD plans to engage a non-profit organization to certify third-party auditors in late 2019. Once CMMC auditors are certified, they will be responsible for conducting third-party assessments of DoD contractors beginning in mid-2020.

CMMC Timeline

DoD is moving quickly to roll out CMMC. The current timeline for CMMC indicates that contractors will need to be certified by late 2020 in order to bid on contracts. In order to prepare, contractors need to determine where they stand regarding NIST 800-171 controls and the CMMC level they want to achieve as soon as possible. CMMC requirements might encompass controls from other frameworks i.e. NIST 800-53, ISO, etc. but 800-171A and 800-171B controls make up the core and thus a good starting point. Even a relatively short delay may jeopardize achieving CMMC certification by the deadlines set by the DoD or those established by your internal business development team.

Budget Concerns for CMMC

Recognizing that the cost of implementing security controls represents a barrier for small and even mid-sized defense contractors, DoD and other federal and state agencies are considering how to provide financial assistance for some CMMC compliance and certification costs. Targeting small and mid-sized DoD contractors, several financial support resources have been discussed or announced.

Kevin Fahey, the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment, gave permission to Katie Arrington to inform DoD vendors that security is an allowable cost.

The Small Business Cybersecurity Assistance Act, recently introduced in the Senate by Marco Rubio (R-FL) and Gary Peters (D-MI), would provide cybersecurity education to SMBs at Small Business Development Centers (SBDCs) that are funded by Small Business Administration (SBA) grants.

Some states offer cybersecurity assistance programs for small businesses. These programs are typically coordinated through the state’s Manufacturing Extension Partnership Program (MEP). For example, Maryland’s program covers 75 percent of remediation costs up to $10,000, based on the results of a gap analysis.

CMMC Expertise and Tools

Effective CMMC compliance efforts require access to security control expertise and easy-to-use compliance tools to organize and track progress. Failure to plan and coordinate compliance efforts can result in excessive costs, distractions to core business, and lost revenue opportunities. Coordinating with contract, business development, and solution teams early in the process results in a smoother path to CMMC compliance.

DoD contractors without access to in-house NIST compliance experts can engage the help of a virtual compliance officer (vCO). An experienced NIST vCO can help contractors determine which CMMC levels are appropriate, decipher the security control requirements, and understand specific control implementation for development and production environments, as necessary.

CMMC compliance efforts can be more effectively managed with cloud-based compliance software that provides CMMC controls, policy management, evidence management, and tracking. Since CMMC compliance includes external assessments and spot audits, DoD contractors can streamline CMMC efforts with a solution that supports secure role-based access for staff, external advisors and third-party assessors.


DoD’s CMMC cyber compliance program rolls out in January 2020 and all defense contractors need to prepare. DoD contractors can take proactive steps to minimize the time and effort required for CMMC compliance by staying up-to-date on the latest developments by visiting DoD’s site or subscribing to periodic alerts on NIST 800-171 and CMMC developments.”


About the Authors

Chor-Fing Fan is the president and CEO of Rizkly, a firm that helps companies achieve and demonstrate compliance with industry-mandated cybersecurity and privacy standards. He has over 20 years of experience helping companies manage global supply chain processes and harness disparate data to improve decision-making. His software product management experience spans global SaaS products for B2B data integration, governance and risk analytics, and self-service cloud analytics.

David Trout is the chief strategy and business development officer for Rizkly, a firm that helps companies comply with industry-mandated cybersecurity and privacy standards. He has over 20 years of experience helping companies achieve enhanced security posture and compliance with industry standards such as NIST, SOC and FedRAMP. He is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM).