5 Simple Questions to Help Prepare Your Team For a CMMC Consultant

Jerry Leishman

June 29, 2021

Every day, we’re reading about the latest nation state and ransomware cybersecurity attacks. For each attack you read there are countless others that don’t receive news coverage. Foreign adversaries are pursuing our nation’s sensitive data at an accelerating rate to advance their own causes and disrupt our innovation, prosperity, and freedom. For many companies, it’s no longer a matter of if they’ll be hacked, but when they’ll be hacked or when they will execute the exploit already in your systems. The Department of Defense mandated cybersecurity maturity model certification (CMMC) and President Biden’s recent executive order should have all DoD suppliers taking steps toward hiring a CMMC consultant to help move their CMMC journey forward.

Before you engage with an experienced CMMC consultant, take the time to educate your team about the road ahead. This will help create a common sense of purpose and team work your team will need for many discussions and cross-departmental changes needed. Starting a cybersecurity conversation with your leadership team before a CMMC readiness assessment will help reveal the type and scope of changes you may need to make to the security culture of your company.  

CMMC Helps You Build a Security Culture 

Similar to a corporate culture, a security culture is the people, processes, and technologies your company uses to protect its secrets, innovations, and customer data. The CMMC journey often requires a significant security culture shift to enable a more secure and protected data protection and governance program.  

CMMC and security culture go hand in hand because CMMC isn’t about checking a box and gaining a certification. CMMC is about changing the security culture within your company. To influence culture change, a company’s leadership needs to embrace required security changes in both action and words, so all employees can see and experience an institutionalized shift in how your company operates, protects its data and our nation’s secrets.  

The more your company creates a security and data protection culture, the better protected your company and customers will be when an attack occurs. Transforming your culture to a security mindset doesn’t happen overnight and can’t be mandated.  As a forward-thinking leader you can educate your staff and begin to prepare them for an engagement with a CMMC consultant by asking probing questions.

How to Prepare Your Team For a CMMC Consultant

Here’s five questions you can use in your next leadership team meeting to help start a security culture conversation. For many companies, it’s often the things you don’t know you don’t know that are most harmful. Start with just a few basic questions. This will stimulate conversation and help your organization understand the value of a readiness assessment. Your CMMC consultant will guide you through a much more intensive unveiling of your security culture and posture. Ask these questions:

  1. If a hacker attacked us today, how would we know? What security policies, procedures, monitoring and controls do we have in place to help prevent, manage, and overcome the attack?  
  1. How do we train our staff to be more aware of data protection importance and the consequences of a poor security posture?  
  1. How do we store, handle, transmit, create, and destroy federal contract information (FCI) and controlled unclassified information (CUI)? How comfortable are we identifying FCI and CUI when we see it? 
  1. How do we know who has access to our systems, technologies, and intellectual property and can disrupt our data protection?  How do we enforce it?  Where are our vulnerabilities? 
  1. How many authorized devices and Internet access points do we have? How well are they configured to prevent unauthorized access? 

These five questions are just a start, and will undoubtedly create good discussions about how to proactively protect your company data.

Proactively Protect Your Company Data 

As a leader, you are responsible to understand and enforce data protection and governance across your enterprise.  You don’t have to wait for the CMMC consultant to arrive for the readiness assessment to start taking action to protect your data. You can take action today to protect your company’s data, your status as a DoD supplier, and your company’s reputation. A great starting point is the NIST 800-171 self-assessment. Download the self-assessment and read the set of questions. You’ll find the detail helpful and illuminating.  

If you are still learning about cybersecurity and how a CMMC consultant can help you – we’re glad you’re here. We’re on this mission with you to protect our nation’s trade secrets, innovations, and data. A great place to start is the readiness assessment. Read more about our CMMC readiness assessment and watch a few of our past webinars to learn more.  

For the past 13 years, we’ve helped companies navigate cybersecurity and regulatory compliance issues with FedRAMP, DFARS, NIST, EAR, and now CMMC. As a CMMC Registered Provider Organization (RPO), we’ve also seen a lot of companies struggle with attaining a security culture. Helping as many people as we can is part of our mission to protect corporate data, and we’ll share with you key learnings as a CMMC consultant to a growing list of organizations.

We’ve completed and helped customers navigate to right-sized and cost-optimized compliance solutions that minimize end-user workflows.  Call me at 833-530-2083 for a free consultation or send your email directly to jerry.leishman@cortacgroup.com.