Marti Arvin and Anthony Buenger on the CMMC Framework [Podcast]


Post By: Adam Turteltaub

America’s data is under attack. Solar Winds and other recent headline-grabbing stories have demonstrated that foreign adversaries are eager to hack into computer systems for a wide range of purposes.

The US Department of Defense has had its supply chain hit hard, and to help protect both the chain and the nation’s assets has pursued the Cybersecurity Maturity Model Certification (CMMC), with a multi-level approach requiring outside certification, not the self-certification as in the past.  Although only for defense contractors, it is a model worth watching since it may eventually expand, in one form or another, to additional areas of government contracting.

In this podcast Tony Buenger, Cyber Security Consultant and Instructor, and Marti Arvin, Executive Advisor, both of CynergisTek explain some of the complexities of CMMC and its many levels. Level 1 covers basic hygiene and is primarily focused on technical security controls. Level 3 is a certification that requires maturity in terms of documented policies and procedures that have been institutionalized. Level 5, the highest level, is focused on persistent threats.

Notably CMMC focuses not just on technology, but also on processes and people, even looking to ensure that the process are built into the organization’s governance. As a result, it’s not a standard for just the CISO or CIO to handle. CMMC is a commitment that needs to be institutionalized, takes time, and requires both trust and ongoing verification.

In sum, it very much requires the maturity that is a part of its name.

Listen in to learn more about CMMC and what your organization needs to do now, and possibly in the future.