By Julie Falconi, CPSM
Ever see a movie where a scientist with crazy hair is warning everyone that something BIG is about to happen? That’s been me for the past six months.
It’s not an asteroid headed towards Earth, but the Cybersecurity Maturity Model Certification (CMMC) is going to be a big deal to professional services firms, especially if your clients are Federal agencies.
At first glance the CMMC sounds like something that's only a concern of IT departments, but its impacts will be felt well beyond IT.
So what is the CMMC? To succinctly explain a complex topic, Federal agencies are starting to require that firms protect controlled unclassified information (CUI) and here’s the kicker: you’re going to have to hire a third-party to come in and verify that you are doing so.
Protecting CUI is no joke. It requires plans, systems, controls, and processes surrounding everything CUI touches, and it leaves zero room for error.
Why is this a concern of marketers? Here are some examples of potential CUI that may sound familiar:
Research and engineering data
Past performances with government building information, etc.
If you work with any of these things, and the government deems them CUI then you and your firm are going to have to learn how to handle them properly.
So right now you may be thinking this seems more in the realm of the Defense Industrial Base.
As of right now, yes, this is dramatically affecting every firm that works in Defense, in fact, the CMMC will be in every vehicle for the Department of Defense (DoD) by 2026, but it’s moving past the DoD.
The General Services Administration (GSA) picked up the CMMC requirements for two of its vehicles and Katie Arrington, Chief Information Security Officer for the Department of Defense’s Acquisition and Sustainment Office said she believes the DoD’s Cybersecurity Maturity Model Certification program “will become a Federal standard for the whole of government rapidly.”
You may also be thinking that you’ve never encountered CUI so this shouldn’t be a problem. The government has admitted that they’ve done a poor job labeling CUI and they’ve committed to changing that.
Additionally, if you read the fine print of solicitation documents you may see more requirements than you realized were there – there's just never been anyone to go around policing it.
What can you do? Right now, the best thing firms can start doing is educating themselves on what the CMMC is, what CUI is, and how they can prepare.
If marketers or owners want to know more about a CMMC-complimentary proposal process that’s designed to integrate into a firm-wide plan I can help: firstname.lastname@example.org.