While the Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification (CMMC) program seeks to significantly improve the way its contractors store and protect sensitive data, it cannot direct industry on what actions they need to take to be CMMC compliant, said the DoD CMMC lead.
Stacy Bostjanick, CMMC director for the Office of the DoD CIO, explained that the DoD has released advisories and references to help its industry partners reach CMMC compliance.
“We put out a ton of documentation to try to help organizations understand what CMMC compliance could look like or resemble, but we cannot tell organizations how to get there,” Bostjanick said during the Billington Cybersecurity Summit on September 7.
Due to the personalized properties of an organization’s network, the department is unable to formalize a one-size-fits-all roadmap to CMMC compliance, Bostjanick explained. Industry needs to find the solutions that fit their network, while still accomplishing CMMC compliance.
“We can give you guidelines, we can give you this is what it might look like, this is what we think you should consider, but we can’t give you directions,” Bostjanick said.
In addition, DoD has released these documents to answer an ongoing CMMC understanding, and consistency issues industry continues to face. Bostjanick also explained that DoD industry partners must work together to train and educate their workforce on the steps they need to take to ensure their agency reaches CMMC compliance.
Bostjanick reiterated that the CMMC is the first step to ensure that national security data – especially data shared with third-party contractors – is secure and networks are protected and defended against adversary entities.
The DoD launched CMMC 1.0 in January 2020 – updated to CMMC 2.0 in November 2021 – to safeguard sensitive national security information and protect the defense industrial base from increasingly frequent and complex cyberattacks.
“CMMC is our foundation for battling cyberattacks and data breaches. But we cannot forget there are other areas we need to continue to work on to ensure we are strengthening our cybersecurity posture,” Bostjanick said.