An update on CMMC

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Fed Tech Talk’s audio interviews on Apple Podcasts or PodcastOne

This week on Federal Tech Talk host John Gilroy interviewed Stuart Itkin, vice president of CMMC and FedRAMP Assurance for Coalfire. He was in the studio to give an update on the Cybersecurity Maturity Model Certification initiative from the Defense Department.

During the interview, Itkin explored three basic concepts about CMMC: Reciprocity, how CMMC deals with commercial off the shelf products, and what to expect for the CMMC deadline.

Stuart Itkin, VP, CMMC & FedRAMP Assurance, Coalfire

One approach to understanding CMMC is to look at NIST 800-53 and all its controls. Compliance with varying subsets of these controls will give compliance for companies in the Defense Industrial Base (DIB).

Like so many things in life, if your company is aware of future compliance requirements, the process should be expected and planned for. However, if your company is up for renewing a project you may get caught flat footed and not get the expected renewal of that contract. Itkin explained that understanding your current system and its current gaps with compliance is the best way to approach any future audits.

If you look at the current merger and acquisition climate, some contractors do not bother with CMMC because they think they will be acquired before this onerous compliance. Furthermore, if you acquire a company that is not compliant, it could cause some serious segmenting in your practice areas.

As of the interview, 190 companies have applied for the designation C3PAO, or Third-Party Assessor organization authorized by the CMMC-AB.

Related Stories


Federal Tech Talk

TUESDAYS at 1:00 P.M.

Host John Gilroy of The Oakmont Group speaks the language of federal CISOs, CIOs and CTOs, and gets into the specifics for government IT systems integrators. Follow John on Twitter. Subscribe on Apple Podcasts or Podcast One.