On November 4th, the Department of Defense (DOD) announced an enhanced “CMMC 2.0” program which will maintain the program’s original goal of strengthening cybersecurity and protecting sensitive data. The DOD is in the process of rolling out CMMC 2.0 and updating program details. As a result, the details of related materials presented below are subject to change over the next 12 months.
Implementing a roadmap to CMMC compliance should be a priority for government contractors and can help navigate the complexities of the journey.
Join Wendy Terry, Partner and Government Contractors Practice Leader and CMMC Advisory Lead, as they discuss the latest on the Cybersecurity Maturity Model Certification (CMMC) and touch on:
- Background and overview of CMMC
- Latest information on the CMMC rollout by the Department of Defense (DoD)
- Preparing your organization for compliance and how CMMC Registered Practitioners can help
This video was transcribed through a third-party application. Please disregard any misrepresentations.
Wendy Terry: (00:04) : Good morning or afternoon. My name is Wendy Terry, and I am fortunate to lead the Government Contracting practice here at Withum today. I have with me one of our senior consultants, Mike Seip, who has significant experience helping clients with compliance and CMMC cyber security maturity model certification. Mike, thanks for joining today. First, would you please tell our audience a little bit about yourself and what your background is in the GovConspace?
Michael Seip: (00:43) :Sure. Thanks Wendy. Hello everyone. MikeSeip, as Wendy said. I’m the CMMC Advisory Lead at Withum, I work within the cybersecurity group and, um, as we talked through some of the things, I think it’ll be clear why CMMC and the cybersecurity domains overlap. But my background is why I’m actually talking to you now as a 10 year veteran of the Navy. I was a Naval aviator, flew F-14s and F-18 slater on, off of the enterprise two deployments, did a flight instructor tour in Pensacola and then did federal acquisition and government contracting for nine years in the R&D space after that. So I have experience as a prime, as a subcontractor and that interaction with various government and federal and defense contracting agencies at different levels and different scopes. So it kind of naturally played out that I think it aligns well with, as we spin up CMMC in general and then specifically the practice that Withum, that I play in that space. So I’m happy to, I’m happy to do it.
Wendy Terry: (02:03) : That’s great. So, Mike, for those that are not very familiar with the history of CMMC, can you give us like an overview of CMMC and what the latest information, you know, where it’s been historically and where it’s going, in regards to the rollout by the Department of Defense?
Michael Seip: (02:29) : Yes, and that’s a good question. And one that is sensitive and dependent to a timing- and schedule as we go. It’s an evolving process, want to emphasize that, but there is a couple of things that are absolute true truisms, and that is, there will be a hundred percent requirement for CMMC compliance for all defense industrial base members and defense supply chain members. Right now, that’s for the first day of fiscal year FY26, so October 1st, 2025. It’s coming up. That deadline hasn’t changed too much. So the rollout is still based upon kind of a 24 to 36 month time horizon. You begin to think a little bit more and look a little bit more into the details of that. And specifically the scope,size, number of contractors, various organizations and agencies that’ll need to be compliant and will need to be assessed and audited.
Michael Seip: (03:42): It’s a very challenging situation. Will we be able to get there from here? Give me a talk. It’ll be a tough call, but the, I know the DoD wants to try. In fact, they are pushing very hard because as we’ve all seen over the past 12 to 18 months in particular, it’s not something that’s going to be below the radar when it comes to the politics. And particularly congressional oversight, they’re getting a lot of heat. I think the expectation is push harder rather than let off the gas. So the short answer, direct answer is looking at about another 24 months before nearly universal compliance will be required as we go. And there’s also actual numbers and some detailed information that if you’d like to, I think we’ll provide some URL information from Withum shortly. But we have all this, you can check on our website and it shows the rollout schedule. The more the point though is it’s a phase ramp or a ramped rollout for until FY25.
Wendy Terry: (04:57): So if I’m a contractor, what should I start doing to prepare? For example, if I haven’t really done much at this point, what do you recommend a company should start doing to prepare?
Michael Seip: (05:17): That’s another good question. In particularly from the perspective of, and when we tell Withum clients we’ve begun discussing present with clients that have federal, specifically defense contracts. We’ve been telling them this recently, and that’s, again, looking at the problem as a whole problem, being the number of agencies, firms, small, medium-sized businesses, et cetera, that will need to be audited and the timeline. There’s going to be a backlog. It’s inevitable. Now the problem is this. If CMMC compliance is a predicate for bidding on any specific contract, if you’re still on a waitlist, you know, without exploring contingency operations and exceptions and junctions, what have you, there is an elevated risk that you and your firm will be unable to bid on contracts unless you have the signed off audit. So because of that, our recommendation, Withum’s recommendation to our clients is begin the process as soon as possible.
Michael Seip: (06:33): That’s easy to say, but it really does stand to reason. There’s not, it’s not just saying it to, to get a move on because earlier is better, there actually is a legitimate logic behind it. So talk to, if you like, talk to Withum, speak with someone who is smart on CMMC and the process. To that briefly look for a company that is either a registered provider organization, or has multiple registered practitioners, CMMC registered practitioners on the staff with them. We accommodate both. And you know, we certainly will, we’ll be more than happy to start a discussion with anyone that desires.
Wendy Terry: (07:31): So that being said, talk a little bit about what we do maybe specifically to support our clients. CMMC compliance prep, I know there’s a pre-assessment type process for some of the steps. So can you kind of walk through that a little bit more in detail?
Michael Seip: (07:54): Sure. And that’s, it’s important. And when I, when I mentioned, when we discussed earlier, that why I’m working for the cyber group and within the cyberspace, why that aligns nicely with CMMC besides the fact that CMMC one of the letters of the acronym is cyber security. It is that the real best way to really only smart way to determine what needs to be done, when, what processes need to be onboarded or attributes needed to be changed within your organization or your firm, is to do a security assessment. Cybersecurity assessment of where you are now, then map that to the cyber and the CMMC level one or level three, whatever your criteria, the objective level that you’ll need for bidding on whichever contracts you were interested in bidding on. And then a roadmap, how do you get there from here?
Michael Seip: (09:01): And so the quick answer is Withum has a long-established, and I think amongst the best in the country in terms of quality of personnel. Almost all ex-military for the cyber penetration test or a security assessment, virtual CISOs, we have the talent and the experience to be able to roll out a quick, or not-so-quick and rigorous if necessary and appropriate, security assessment. And from that we’ll map to CMMC level one, level three to begin with. Again, contract dependent. And then we will work with you. The other, or the last part of that is, and you said it specifically, Wendy. Advisory preparation. We can roll out a requirements or attribute mapping with anybody. And that’s not cosmic. I think where real value is added and something Withum is very good at is once we have that mapping, here are the areas where we need to focus on, where we need to increase capability and what have you, in order to assure CMMC level X compliance. The art and the fine point of getting there and helping along the process after the assessment and prior right up until the day of the audit in fact, is I think where the real value will be added. And that’s one of the areas where we, have, I think, a lot of services to offer again, as part of our baseline advisory package.
Wendy Terry: (11:01): That’s a great answer to the question. And, and certainly just to wrap up on this, you know, we really enjoy what we do here at Withum. And so we’d love to be able to provide more information to you, whether you’re a client or just thinking about CMMC. Certainly you can reach out to either Mike or myself. Our contact information will be provided, and if you’d like more information, you can always visit our website at, withum.com. That’s W-I-T-H-U-M.com. Well, Mike, thanks very much for giving us a quick overview and idea on the process, the planning and how the outcomes should look under CMMC compliance. Appreciate your time. And we’ll talk again later.