A Q&A with Taiye Lambo of eFortresses
Managing cybersecurity for an entity as vast as the Department of Defense requires managing the downstream cyber risk of its hundreds of thousands of vendors and contractors. The Cybersecurity Maturity Model Certification (CMMC) was designed to help align the DoD’s contractors with a rigorous standard.
We wanted to better understand this recently introduced certification program so we talked to Taiye Lambo, founder and CEO of eFortresses, about how and why companies should pursue this certification and start implementing its best practices.
What is the CMMC program and who does it apply to? Who should be aware of it?
Cybersecurity Maturity Model Certification (CMMC) is basically the Department of Defense supply risk management network. It’s been around for about three years and has been revised multiple times. The idea is to manage risk for up to 10 chains down, largely involving controlled unclassified information (CUI) and federal contract information (FCI) data.
When you’re talking about the Department of Defense—which has an annual budget of three quarters of 1 trillion dollars—the supply chain is massive. It encompasses up to 1,000 household name companies such as Lockheed Martin, Boeing, Northrop Grumman, SAIC, and so forth. Small to medium size businesses that make up the balance of 300,000 prime and subcontractors.
It’s these contractors that should be aware of CMMC. They are mostly based in the US, and the majority are minority, women and veteran-owned companies. Some of these companies may only have one client but the DoD might generate $50 million in business every year. And if they don’t meet the requirements of CMMC, they are at risk of losing that one very important client. This is a very big issue for them.
What should those parties know about CMMC?
The first thing to understand is that the current rule is an evolution of Defense Federal Acquisition Regulatory Standard (DFARS) 7012 that went into effect in December 31, 2017. It required companies to conduct a self-assessment in accordance with the NIST framework.
Until 2020 it was a self-assessment or self-attestation. In 2020, the DoD made it into a certification. Multiple versions have evolved since then and currently the CMMC 2.0 rollout is pending DFARS 7021 rule making—meaning that the certification will require companies to comply with the new version of DFARS.
Who oversees CMMC?
A few years ago, the DoD authorized the formation of a nonprofit called Cyber AB—the AB stands for “accreditation body”—and it is the sole accreditation and certifying organization that oversees CMMC.
How can supply chain companies stay informed about developments and requirements on this front?
First, I would recommend visiting the Cyber AB website, which has regular updates and town hall meetings among other resources.
How does eFortresses fit into the equation?
In 2020, eFortresses joined the Cyber AB as a Registered Provider Organization. Our sister company HISPI is a Cyber AB-approved Licensed Partner Publisher (LPP) and Licensed Training Partner (LTP). Given that eFortresses has its roots in assisting Fortune 500, Global 1000 and their suppliers to build robust and comprehensive information security programs, it was a natural fit. We have spent the past couple of years assisting SMBs to achieve cybersecurity maturity and certification such as CMMC, ISO 27001, and others.
The way CMMC was described when I first got involved with it was that it’s like a plane that is being built while it’s in mid-air. And honestly, it’s felt very much like that for the past three years, so we like to educate our customers and make it less burdensome to achieve compliance.
One of the primary goals of CMMC is to “perpetuate a collaborative culture of cybersecurity and cyber resilience.” What does that mean to you?
When people say cybersecurity, it almost seems like an oxymoron. But we have to start with what we call cyber hygiene—the basic practices you need to adopt if you’re going to operate a business online. There are 17 practices within the CMMC framework which are basically technical and administrative controls, and if you adopt those, you are at Level 1, which will begin to establish a culture of cybersecurity.
That’s really just the start of the journey, though. The next two levels, Level 2 with 110 practices and Level 3 with more than 110 practices, require third-party certification. The DoD is saying that at the minimum, they expect every single supplier to be at Level 1. And in many cases, depending on what kind of data is handled, they’re going to expect suppliers to be at Level 2 or higher.
To me, creating a truly collaborative culture is about adopting CMMC as a differentiator versus as a discriminator.
How can organizations do their part?
For right now, CMMC is still being rolled out so there is quite a lot to be determined. But they can seek knowledge and stay informed. They can join the CMMC ecosystem by attending monthly town halls. The DoD is currently offering voluntary assessments, which is a good opportunity for organizations that are ready. The first step anyone can take in their CMMC journey is seeking help where needed.
We kindly thank Taiye for his time and we hope you found value in his insights on the Cybersecurity Maturity Model Certification.
To learn more, sign up to receive regular updates at taiyelambo.com and join his Cybersecurity Frameworks and Maturity Models LinkedIn Group, which now has 140,000+ members globally.