Dave Simprini of Grant Thornton identifies four best practices that defense suppliers can use to prepare for – and ultimately achieve the necessary rating under – the Cybersecurity Maturity Model Certification:
- Select the CMMC level that is right for your organization, for now and in the future. Level 3 or higher is needed only if you handle controlled unclassified information.
- Evaluate your business relationships with subcontractors; this involves them, too. It is your responsibility to ensure that your subcontractors achieve the right level of compliance.
- Define your system boundaries to minimize threat surface, and designate a defined enclave that can hold CMMC relevant data.
- Approach CMMC as an enterprise-wide initiative, not just a security challenge. It is critical to get stakeholder buy-in and continue to engage decision-makers from across your organization.