What do you think the CMMC (Cybersecurity Maturity Model Certification) will actually address?

2.1k views7 Comments

Managing Partner & CISO in Software, 11 - 50 employees
It's a new fancy way of auditing base control components, fundamentally speaking. It's like saying, “Why do we have to have NIST CSF or 853?” Those are great compliance frameworks but you could can also build an amazing program using the CIS top 20. The reason why people don't is that CIS top 20—and now NIST 853—aren't sexy enough. You can't go to your board and say, "Our strategy is around these 20 controls that people came up with 20 years ago." Your board will say, "No, there are all these new emerging threats," and you’re like, "Yeah, but we should have an inventory." When you look at data flows, the number of organizations that don't actually understand their inventory—not just their asset inventory, but data inventory—it's disgusting. It's negligent.
Associate Vice President, Information Technology & CISO in Education, 1,001 - 5,000 employees
This is largely beneficial for organizations looking to do work with the department of defense. If others choose to get this cert, they will benefit by an independent audit of their security controls aligned with requirements imposed by the DoD. It looks good on marketing material, and RFP bids, but ultimately there are plenty of other certs that may better align with your organization if you aren't looking to do DoD work.
AVP and Deputy CIO in Education, 10,001+ employees
CMMC sounds great and looks great on paper, but anyone who has gone through it knows is not much more than a box checking exercise for the DoD.
CIO in Energy and Utilities, 11 - 50 employees
I think it is a great effort to standardize practices as it was (and still is) for technology companies and CMMI. 
It's not the first effort to create a framework for it (ISO, etc). 
I think any standard will be very helpful for the security professional to organize and structure the company's body of security policies, practices and all needed to implement those.
Director of IT in Software, 201 - 500 employees
Another certification in the plethora of cybersecurity certifications. Mainly used for Federal work (DoD), it is a checkmark you need to have to get the job :), not that there is anything wrong with CMMC, but the majority of things it covers can/are addressed with other existing certificates. Having said that it can independently evolve to cover areas that might not be there with other certifications.

It's nice to have a security baseline i.e minimum security that every contractor meets but this is adding another step/burden for companies, now you need to get certified and assessed for one more certification. There is the CMMC accreditation body and Certified Third-Party Assessor Organizations (C3PAOs) in the picture. Time will tell how much CMMC will help.
CIO Strategic Advisor in Services (non-Government), 2 - 10 employees
As with many certifications, they solve for a specific situation or requirement. But in general, their components should be used only as needed. Certifications can be overly cumbersome and create new issues beyond the ones it intends to solve. Ensure that you're clear on what and why you are using the different aspects...and the consequences of doing so. There are often tradeoffs.
Director in Manufacturing, 1,001 - 5,000 employees
Depending on your motivation, it can be valuable.  If you are trying to migrate from corporate security to federal contracts or even into being a federal employee it would likely be very valuable.  In particular for getting passed computer filters on resumes.

As with many certifications, standards, working groups, etc, do you really know how to apply it.  Can you work and take actions based on what you learned?  If the answer is yes, you will get ahead of the competition.   

If it can address standardization of language, definitions of actions, processes and procedures it can help accelerate actions for defending our cyber assets.  DFARS really didn't help us get better in my opinion.   We spent time debating the best ways to be compliant more than taking concrete actions.  

Just like trying to align your IT department with ITIL didn't suddenly make them the greatest service organization.  CMMC isn't suddenly going to secure your company.  The actions taken to truly move towards improved security posture it what is needed and sometimes high visibility programs like CMMC will help justify faster actions.

Content you might like

crowd strike36%

sentinel one60%

carbon black5%




Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.31%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.52%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.12%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


9.3k views9 Upvotes1 Comment

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.5k views133 Upvotes324 Comments