CMMC compliance made practical: A data-first path forward

As the Department of Defense rolls out its Cybersecurity Maturity Model Certification (CMMC) program, defense contractors of all sizes are working to comply with new security requirements to safeguard sensitive military data. However, for many small and mid-sized organizations, the costs and complexity of compliance can feel overwhelming.

For defense officials determined to leverage private sector innovation, providing a broader array of firms with an opportunity to work with the Pentagon while protecting sensitive information has become a critical balancing act. 

“CMMC is a certification that you need to have now contractually to do business with the United States Department of Defense to ensure that you are treating the data that you create or share with them the way it needs to be treated,” explains Trevor Foskett, Vice President of Solutions Engineering at Virtru, in a new video produced by Scoop News Group for Virtru.

The stakes are high. Foskett noted that adversaries’ ability to replicate U.S. designs underscores the need for stronger data protection. “One of the examples I hear all the time is our adversaries’ next-generation fighter jet looks exactly like ours,” he says. “Why is that? Well, because somewhere along the lines, they got their hands on some data that told them what we were working on.”

Yet implementation is far from straightforward. Contractors must evaluate how their businesses handle controlled unclassified information (CUI) and identify gaps in their security posture. “Anytime a new regulatory framework is introduced, you need to figure out how you’re going to fit your existing business —some of these are decades old — into that new framework,” says Foskett. “Once you start unraveling this CMMC puzzle, you start to understand that there’s a lot that needs to go into it.”

For smaller organizations, the financial barriers are particularly steep. “The reason that this is so expensive is because to get assessed…you’ve got to pay someone to come in and do that evaluation for you,” explains Foskett. “That can be tens or even hundreds of thousands of dollars. Add in costs for new tools or additional staff, and this can become a real challenge that might be millions of dollars for an organization, even if you’re a small one.”

Foskett discusses how smaller firms can still compete for defense business, particularly by taking smarter approaches to securing their data. He urged contractors, for instance, to take a targeted approach. “You don’t need to go and say, ‘Hey, our whole organization needs to be CMMC compliant,’ if you only have one department that really works at the DoD,” he says. “Let’s focus on that department instead of paying out of pocket for everyone.” He also highlights available tools like those from Virtru, which are based on practices developed at the National Security Agency, that can encapsulate data with specialized security controls.

Ultimately, he emphasized that compliance must align with security. “At Virtru, we talk a lot about this idea of ‘compliance theater’—checking boxes for the sake of checking boxes rather than actually delivering real security,” says Foskett. “A successful implementation means not only have we checked all those boxes, we actually have a secure environment…and a solution that not only protects the data but allows that access for those who should have access when they need it.”

Learn how Virtru’s data-centric security helps organizations strengthen CMMC compliance.

This video was produced by Scoop News Group – for FedScoop, DefenseScoop and CyberScoop – and underwritten by Virtru.