If you manage IT at your company, then you have a lot of roles to fill. Whether you have a small team or it's just you, you could be asked to be the network administrator, help desk technician, IT project manager, business analyst, cyber security expert, and more at any given moment.
And if your company needs to comply with the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC), you're likely going to get another role tacked onto your responsibilities.
Many IT managers who have been reading through the new regulations from the DoD are trying to figure out what they need to do. They find themselves with rising feelings of discomfort or even panic because it’s quickly evident that becoming compliant is a lot more than checking off boxes.
It’s not that IT Managers can’t learn and master everything that’s wrapped up in CMMC -- it’s that they don’t have time to climb the learning curve fast enough, and they can’t peel off from their normal duties to devote enough time to training.
If this sounds like your experience as you’ve started to dig into CMMC, you may have come to the realization that you need help. It’s awkward though, to take that request for additional resources to your boss. You don’t want to be seen as needy or incompetent (because you aren’t), so how you frame your request makes a big difference.
Here are some talking points that you can use to lay your CMMC compliance situation on the table when IT support needs CMMC support from a trained consultant.
- We Need to Speed Up Our Response
- We Need an Objective Viewpoint
- We Need to Find Ways to Control Compliance Costs
- We Need to Consider All Our Options for Remediation
- We’re Not Equipped to Write Security Policies
- We’re Going to Be Flooded with Data
- We’ll Need to Manage and Maintain Advanced Security Tools
🔎 Related: 5 Ways Consulting with a Registered Practitioner Can Help You Become CMMC Compliant
7 Talking Points to Help Explain the Case for a CMMC Compliance Consultant
1. We Need to Speed Up Our Response
The first step in the compliance process is submitting a self-assessment, which was due at the end of 2020.
So, if you haven’t started yet, or if you’re not making any progress doing it yourself, you need to speed up your response. Bringing in a CMMC consultant will help you to make up for lost time.
2. We Need an Objective Viewpoint
One of the steps in the CMMC self-assessment process is to perform a Gap Analysis. You need a straight-up analysis that’s unbiased by history and internal politics.
What’s more, because sometimes IT management and security management conflict, getting an objective viewpoint from a CMMC consultant is going to go over better, and get you further faster.
3. We Need to Find Ways to Control Compliance Costs
How you store and transmit the Controlled Unclassified Information (CUI) that you gather makes a difference. If CUI is stored along with all of your other data, then the scope of CMMC compliance must extend out to your whole network.
Better to limit the scope of compliance in order to limit your costs on both security controls and assessment costs. A CMMC consultant can give you recommendations on how to do this.
4. We Need to Consider All Our Options for Remediation
CMMC compliance is not one-size-fits-all. There could be many ways to implement the controls in NIST 800-171 and the methods that you pick should be compatible with each other. The last thing you want to do is to cobble together a bunch of tools because you may find down the road that they’re cumbersome to manage.
A CMMC consultant has knowledge that you can tap into to weigh all of your options and make sure that the solutions you use will work together without overlap, and can be managed in the long term.
5. We’re Not Equipped to Write Security Policies
If you’re an IT manager, you know that you need to have both technical and non-technical layers of security. The non-technical layers involve writing, training, and enforcing the policies that guide user behavior. The IT department is not usually trained to write all of the necessary policies, but HR doesn’t have the knowledge of cyber security to do the job either.
And it’s not just the writing -- it’s keeping them updated as company procedures change. A CMMC consultant can write customized policies that follow your unique business processes, and revise them as your business changes.
6. We’re Going to Be Flooded with Data
Your CMMC security strategy is very likely going to include some advanced security tools that you didn’t previously use like Endpoint Detection and Response (EDR) and Security Event and Incident Management (SEIM) software. These tools will be gathering data on your network traffic.
Someone is going to need to monitor the alerts that are being generated by the tools, decide if a response is needed, and then choose how to respond. This is where an outsourced Managed Security Service Provider (MSSP) comes in. If the MSSP is a CMMC Registered Provider Organization, then that’s a sign that they know about both security and compliance.
7. We’ll Need to Manage and Maintain Advanced Security Tools
Managing and maintaining advanced security tools requires a higher level of IT best practices than what your cyber security specialist may be used to. What you really need is a whole department of different IT specialties to call on to make sure that every layer of security is working, is being optimized, and has the correct responses when an alert is triggered.
🔎 Related: 3 Most Common Advanced Technologies Businesses Need For Their CMMC Remediation Plan
CMMC Consulting Help for Businesses
In order to keep your DoD contracts – and get more – CMMC compliance is required. VC3 is a Registered Provider Organization with several Registered Practitioners on staff. These consultants are trained in CMMC compliance and can guide you down your path to successful compliance.
Don’t wait! Contact us to speak with a CMMC expert today.