Kyle Lai, President and CISO of KLC Consulting, was thrilled to be interviewed along with Carter Schoenberg, VP of Cybersecurity at SoundWay Consulting, on the cuicktrac podcast to discuss the common CMMC 2.0 Scenarios and key strategies for organizations seeking CMMC certification.
Thanks to Derek White, Co-Founder and Director at cuicktrac for leading the lively discussion and for the opportunity to shed light on this pressing topic. The goal of the CMMC 2.0 Scenarios podcast was to give confidence back to the DIB and OSCs to help them navigate the way and make the right decisions to be successful under CMMC.
Common CMMC 2.0 Scenarios all DIBs face
Organizations seeking certification, (OSCs), vary in size and scope yet there are common scenarios that all DIBs face. On this podcast, Kyle and Carter discussed:
- Changes from CMMC 1.2 to CMMC 2.0
- Challenges facing OSCs
- Common scenarios and what OSCs can do to find success under CMMC
The CMMC dates and timelines
Going back in time, there was a redaction of other framework requirements between CMMC 1.0 and 2.0. As a result, the timing that the DOD is mandating has yet to be determined, but according to comments made by the Director of CMMC, Stacy Bostjanick, the new guidelines release date looks to be around July, 2023. It is vital for OSCs and DIB contractors to be at a good baseline today to prepare for CMMC officially.
The CMMC readiness challenges
CMMC 2.0 Scenarios, there are several key challenges Kyle and Carter outlined regarding CMMC readiness. The overarching challenge is to be adequately prepared to be able to meet the CMMC requirements whether it’s Level 1 or Level 2. This takes time.
For Level 2, companies are dependent on the schedule of the C3PAO. Even if you’re ready to go now, it may take weeks or months to be evaluated by a C3PAO due to supply and demand issues. Both Kyle and Carter will be actual accessors to help free up opportunity in the marketplace. Yet, the historical average of when a solicitation is released to the time of the award is generally four to six months.
Director of CMMC, Stacy Bostjanick, mentioned 80,000 companies that require OSCs to have CMMC 2.0 Right now, only 10-11 C3PAOs are authorized. By year end, Kyle states, we may be lucky to have 30. This creates a backlog in the system presenting a huge obstacle. What are fair and reasonable rates for C3PAO assessors is another area to consider. Open market rates dictate fees in the $150,000 to $170,000 price range due to supply and demand.
Another challenge Kyle and Carter discussed was on CUI marking. There is a lot of gray area around CUI marking that needs to be figured out such as:
- Determining if it’s CUI and what type of CUI it is
- Making sure staff, contractors or employees have the DOD mandatory CUI training
- Addressing the role of MSPs and MSSPs to ensure they’re CMMC compliant on their client’s behalf
SPRS is only one leg of the stool
Companies generally have a lot of confusion about SPRS because there’s a lot of miscommunication and misinformation out there. There is a scoping guide, but people don’t know to actually read it. If they read it, they still don’t understand. For instance, even though you have already done the SPRS submission to the DOD SPRS system, what about your:
- Financial accounting system
- Firewall
- VPN
- Active directories
It’s better to have a consultant that understands all of the nuances of CMMC. It can be very costly both in terms of time and money to have to go back and do it again if everything hasn’t been addressed.
CMMC 2.0 Scenarios: In conclusion
Thanks to Derek White leading the way and giving Kyle Lai and Carter Schoenberg the opportunity to share the most pressing challenges that CSOs and DIB contractors face today when trying to navigate the evolving CMMC guidelines. Now is the time to begin putting the steps in place to do what’s best for your company to be compliant and meet the known requirements. This is such a complex area that it is prudent to use consulting resources that understand your data.
Be sure to vet your CMMC consulting organization with such considerations as duration terms and limitations or liability warranties. Taking these important steps will enable you to have the confidence to move forward with CMMC readiness. In the words of Derek White,