The standards for the Cybersecurity Maturity Model Certification show that the Pentagon is serious about securing data within their enterprise. Gordon Bitko, senior vice president of policy for public sector at ITI, says that the policy change could go smoothly for some contractors.
“If you are a vendor providing FedRAMP services, you are doing actually more than CMMC requires because, FedRAMP requires continuous monitoring. That’s a real significant step forward in cybersecurity. That’s a great best practice we should be looking to work with DoD to include in the future versions of the CMMC,” Bitko said. “If you are 3, 4 or 5 steps down, it is an open question for you now. Can you leverage those processes through FedRAMP-approved services? You have to figure that out yourself. There are lots of people asking those questions now.”