Professional development

CMMC is key to unlocking federal contracting opportunities

August 18, 2021 by Patrick McSweeney

The new Cybersecurity Maturity Model Certification (CMMC) Framework is changing the requirements for defense and other federal agency contractors. That will provide huge opportunities for everyone involved, says Infosec Skills author Tony Buenger, a cybersecurity consultant specializing in National Institute of Standards and Technology (NIST) risk and compliance assessments.

CMMC is the new standard to assess and enhance the cybersecurity posture of the more than 300,000 companies in the Defense Industrial Base (DIB) supply chain. It hinges on Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs) working at the Certified Third-Party Assessor Organizations (C3PAOs) that will assess the cybersecurity processes and practices of each organization. Training for CCPs and CCAs is expected to open to anyone who qualifies in late 2021.

“Formal certification is a mandatory requirement for organizations to continue working on DoD contracts,” says Buenger, who was part of the working group developing the CMMC standards and training.

CMMC need grows as time passes

Recent news stories illustrate the need for a unifying cybersecurity standard across the DIB, with foreign actors seeking access to sensitive government data and intellectual property that is key to the nation’s economic and military security.

  • A digital ransomware gang linked to Russia known as “REvil” claims to have taken 23 gigabytes of data from a space and defense contractor based in Fort Walton Beach, Fla. According to its website, HX5 clients include the Army, Navy, Air Force and NASA. The company says it provides an array of “research and development, engineering and technical services to the U.S. government.”
  • A group of hackers linked to the Iranian government used social media in an attempt to gain access to sensitive military information. Using fake social media profiles, the group sent targeted, malicious links through Facebook to individuals who work for the U.S. military and American defense contractors. The group also targeted similar victims in the UK and Europe by posing as aerospace and defense firms representatives to build relationships with their targets.
  • A California grand jury indicted four Chinese nationals for hacking into the computer systems of dozens of companies, universities and U.S. government agencies from 2011 to 2018.
  • According to a private cybersecurity firm working with the federal government, Chinese hackers breached dozens of U.S. government agencies, defense contractors, financial institutions and other businesses. This follows a separate discovery that potentially more than 100,000 private-sector companies had been hacked through Microsoft Exchange email servers.

Learn from the CMMC expert

As a credentialed provisional assessor, Buenger is one of the first cybersecurity professionals in the nation authorized to conduct the new CMMC assessments. He just released a new Infosec Skills learning path to share his knowledge of the new CMMC process.

Buenger says the training is good for anyone — from the IT and cybersecurity teams to senior leaders.

“It was eye-opening when our CFO and VP of marketing realized they each had a part in this. They were all interviewed during the assessment as subject matter experts,” says Buenger. “This learning path is good for senior management to go through because we don’t get into a lot of technical detail. It’s more of a DoD CMMC overview. It has practical exercises and gives a good understanding of the CMMC process.”

Buenger’s DoD CMMC Overview Learning Path includes 12 courses designed to build the necessary skills needed to assist your organization in preparing for a CMMC assessment, including:

  • Overview of federal government guidelines
  • Deep knowledge of the CMMC ecosystem model and assessment methodology
  • Steps to develop the CMMC assessment scope
  • Different CMMC deliverables
  • Expectations for a CMMC assessment

He says it’s also a good prep course for anyone who plans to attend a CMMC boot camp.

CMMC is an opportunity for IT professionals

Because all DoD contractors and subcontractors must pass CMMC certification within the next few years, the need for CCAs and CCPs at those companies and C3PAOs is critical.

“I expect that market to be wide open. CCPs are not only for C3PAOs to hire for CMMC assessment teams; they can be subject matter experts within the organizations seeking certification,” Buenger says. “A CCP is going to help them prepare for the CMMC assessment, get certified and maintain that certification.”

“Savvy cybersecurity professionals are needed for these roles,” Buenger adds. “Now is the chance to get in on the ground floor and become an agent of change by securing the defense industrial base from adversarial attacks by becoming a CMMC expert.”

Join Infosec Skills


Posted: August 18, 2021
Articles Author
Patrick McSweeney
View Profile

Patrick McSweeney began his career in print and then broadcast journalism before pivoting to become an award-winning public relations strategist. During the past 30 years, he has worked with clients ranging from technology companies to food retailers, restaurants, tourism destinations and from manufacturers to nonprofits, real estate development and government agencies.

Leave a Reply

Your email address will not be published. Required fields are marked *