Written by David Bedard Jr.
It never surprises me at conference after conference how little the topic of this blog is covered outside of just stating companies need to invest in getting compliant with DFARS and NIST.
During a recent conference I asked attendees how many were handed the responsibility of getting their company ready for CMMC just because they had the responsibility of IT in their role or title. More than three quarters of the attendees in the room had their hands up. I followed this by asking how many thought they had the appropriate level of expertise or training to get their company compliant and ready for CMMC and less than a quarter of attendees had their hand up including those that had the responsibility of IT.
Let’s give this a little bit of a visual and I’ll use round numbers albeit there were more than 100 individuals in the room at that time.
For any business leaders who may be reading this, 75% of the staff that are being requested to prepare for CMMC are in IT. IT is hired based on their experience in maintaining and, budget permitting, securing your network. They are responsible for making sure your organization can keep operating. This staff have gone through training and certifications ranging from CCNA, CISSP, Security+, A+, Network+, etc.
What are they lacking? Yup, training on CMMC. KTL Solutions is not a CMMC Licensed Training Provider (LTP), but this is one thing I always tell companies to do during consulting engagements: why would you not have someone go through CMMC training so that they are in the position to help you get ready for certification?
Once CMMC is a contract requirement, these are the people that will help you get ready for certification which will provide you the opportunity to win more business. Let’s repeat that again. Certified CMMC Professional (CCP) training will help get your staff knowledgeable on how to make your organization compliant, so you have the opportunity to win more business.
On to the next topic for those business leaders still reading. There’s this little thing called an annual affirmation in the CMMC proposed rule. This will be required once the rule becomes final. “Senior Leadership”, which still needs clarifications on what that will be defined as during the public comment period, is likely to be someone of authority to make decisions on the companies.
So, here’s the question. Whether you insource or outsource your IT administration, wouldn’t you want someone on staff that can review everything that has been done and can provide some level of assurance you have things in place that you’re likely the one to be affirming to, at a minimum, on an annual basis?
Listen, I understand. You’re not in business to be a CMMC expert, but you will eventually be required to be CMMC certified in or to continue to win contracts and will have to affirm that you are doing what you need to do in the Supplier Performance Risk System (SPRS). Wouldn’t it make sense to have someone trained on what ‘good’ means when it comes to compliance of your NIST SP 800-171 implementation and validated under CMMC certification?
Training staff cost effective and enormously beneficial investment an organization take for staff tasked to handle the responsibility.
Did you know KTL Solutions has a Compliance-as-a-Service offering? Click here to learn more.
