An interview Jon O’Keefe the Technology Education Jedi at Logical Operations on the Cybersecurity Maturity Model Certification (CMMC) and cybersecurity trends.
The new year is around the corner and time is ticking for almost 50,000 prime contractors who contract with the Department of Defense to become CMMC certified. Studies show that nearly $600 billion is lost annually to cybercrime across all industries. The influx of cyberattacks we have seen in 2021 has led us to believe that the CMMC certification will be key to attaining and maintaining DoD contracts. With the compliance date of 2025 looming, getting certified early puts your business at a huge advantage and will enable you to win business contracts.
We decide to consult with Jon O’Keefe on recent cybersecurity trends and the Cybersecurity Maturity Model Certification (CMMC), a program developed by the U.S. Department of Defense designed to protect information that is shared by the Department with its contractors. In this blog, we cover some key takeaways from our conversation.
Q: Logical Operations has a new certification program that was released on November 1st. Tell us about the CMMC and what is driving the demand for it?
A: So, CMMC, the Cybersecurity Maturity Model Certification is a Department of Defense (DoD) initiative. It is their move from a self-attestation model on cybersecurity practices and procedures to a third-party assessment model. What does that mean? The Defense Industrial Base, which are all the companies that do business with the DoD, and they range from size like Boeing and Lockheed, Raytheon, the big players, all the way down to Dave and Don’s garden supply shop, who hold a contract for flower services and mowing on a military installation. In the past if they’ve wanted to bid on a contract, all they’ve had to do was say, we are good at cybersecurity policies. What CMMC is, is the DoD saying to all these businesses out there that no longer will you be able to self-attest that your cybersecurity policies are great, you’re going to have to have a third-party organization come in and look at all your policies and procedures and then evaluate you, and that CMMC in a nutshell.
Q: Who is your main audience for the CMMC?
A: It’s any member of the Defense Industrial Base. So, any business that bids on federal and DoD contracts. We and the Department of Defense estimate that there are about 50,000 prime contractors out globally. And so, these are organizations that bid on federal contracts. Underneath them, there’s a difficult number of subcontractors to estimate somewhere in the millions. All these organizations are going to be impacted by this.
Q: What does the actual certification look like from an individual or group perspective?
A: That’s a great question. This ecosystem inside of CMMC contains what are called organizations seeking certification. They have an acronym because everything inside of this has an acronym, and those are now called what we call OSC’s, Organizations Seeking Certification. They are everything you just mentioned. The three hundred and fifty thousand members of the Defense Industrial Base as prime contractors, the million subcontractors, the I.T. vendors that are out there. They are going to need to follow a rubric of 17 different domains and one hundred and seventy-one best practices of cybersecurity. To follow that rubric and achieve mastery in those domains and areas, they’re likely going to pursue some form of training. Now there are official CMMC certifications, there’s domain training, and then there’s unofficial CMMC training. Every department inside an organization is likely going to be impacted by this cybersecurity framework.
Q: Are there any prerequisites for somebody taking this class? What level do they need to be at?
A: That’s a complicated answer, but I’ll break it down. The first thing that an individual can look at taking is the certified CMMC professional certification. That’s about forty hours’ worth of training, and the people that are looking to get that certification will likely have several years of it experience. They will likely have some experience in it. Nothing is stopping them other than the difficulty of the class and the exam for anyone from becoming a certified CMMC professional. So, there are no hard and fast prerequisites, but the challenge level is high for this certification. From an awareness perspective, there’s no prerequisite, and anyone inside an organization who is seeking to be part of the Defense Industrial Base is already part of the Defense Industrial Base would benefit from a general CMMC awareness training the same way that health organizations benefit from a General HIPA training the same way that a bank, for example, would benefit from having PCIDSS awareness training or Sox training.
Q: How do you believe this certification, CMMMC, compares to CISSP?
A: They are certainly similar. They’re both certifications designed for IT professionals who are either looking at a further career as an assessment professional or looking to guide their organization through an assessment process. So, they’re very high level in that regard. The difference is that CISSP is kind of an industry-standard across the board, whereas CMMC is a necessary certification for an assessment professional and a very helpful certification for an I.T. professional who wants to guide his organization through the CMMC assessment process.
Q: So, we mentioned there has been a tremendous increase in cybersecurity threats over the past two years. What do you believe has led to this?
A: You’ve got multiple factors. The first is obviously COVID. The move to a remote workforce causes IT challenges. When you’re in your office, you’re behind certain firewalls. There are all sorts of things that your organization can do to protect you. However, when you make the move to virtual: one, you have employees at their own homes on their own Wi-Fis. But more importantly, what you see is that people in their environment become infinitely more comfortable. 90 percent of cybersecurity incidences are the result of an end-user. You or me or Sara in the warehouse just having a bad day, not reading something, not paying attention to a prompt, thinking an email was coming from our boss when it’s not. What has happened is that people are having more and more bad days. When you’re at home, you become infinitely more comfortable with the technology. There isn’t the same kind of tension in your best practices when you’re doing that type of thing.
The second thing that’s causing a rise in this is cryptocurrency, and you can see there’s a direct correlation in the creation and rise of cryptocurrencies starting in 2021 with the Silk Road on the Dark Web, which was shut about a year later, but now there are dozens of marketplaces on the dark web where people can purchase things using cryptocurrency, whether it’s Ethereum or Bitcoin or any one of the other number of cryptos. One of the most popular illegal goods and services that you can purchase now is hacking efforts. Those are the two major contributing factors that are going on right now, which is why we’ve seen such a huge increase in cybercrime over the last couple of years.
Q: As far as general cybersecurity and protection for an organization we would try to encourage this as more of a proactive kind of solution and knowledge for an organization to have. But how do you find current customers are behaving with this or is it more reactive?
A: So right now, the DoD has put out a deadline and that is the fiscal year 2026, which means September, at the end of September 2025, at that point, all DoD contracts that go out into the Defense Industrial Base, which contain either FCI, Federal Contract Information, or CUI, Controlled Unclassified Information, will require anyone who’s bidding to have a CMMC level. So, everything right now is a proactive move to get ready by September of 2025. Once it goes into effect, you will lose out on business if you are not prepared for this.
Q: You mentioned the cyber-safe credential. Can you tell us a little bit more about that?
A: Cyber safe is a credential from Certain Access. This is a provider of emerging technology certifications and business-level credentials. Cyber Safe is designed to help any person inside an organization reach a level of cybersecurity awareness. So that way they will be prepared to protect your company’s most valuable resources, your data and your PII, your personally identifiable information, from things like social engineering attacks and basic malware and email hacks and all of that.
Q: Are there other classes that you teach in the cybersecurity area?
A: There are plenty of classes. There is the Cyber SEC first responder, which is an incident response certification and maps to the incident response domain inside of CMMC. There is a cybersecurity coder, which maps to several different domains inside of CMMC. Those are both high-stakes certifications from our partner companies, Certain Access again, an Emerging Technologies Certification House. Several cybersecurity classes can help an individual stand up for this. The biggest one is the CMMC Awareness class. CMMC Awareness is for the whole organization.
Q: Throughout this discussion, we’ve talked about CMMC being a huge trend upcoming. But what other trends do you see happening in the upcoming years centered around cybersecurity?
A: I see a couple of things and I want to use one word to describe it, and that word is data. The next 5 to 10 years will be very data-focused, and there are three things you can do with data from an organizational perspective. The first is you can understand it. Understand what your data is doing for you. The second is securing it and keeping that data safe. That will be a huge trend and we’ll continue to be a huge trend. And then the third is data ethics. What do we do with this data that we have and how do we behave ethically? So that’s one of the major trends that you’re going to see with a huge component of that being cybersecurity, it’s going to be analyzing data, securing data, and ethically handling data. That’s one major trend with an emphasis on security, of course, because if you can’t keep it secure, then you shouldn’t have it in the first place. The second major trend I see is this concept of maturity models. The Cybersecurity Maturity Model Certification and Cybersecurity Maturity Modeling, in general, is going to, I believe, become a trend the Department of Homeland Security is investigating.
To hear the full podcast episode click here. To learn how TTA can help with your Cybersecurity goals, speak to a TTA Learning Expert today!