October 15, 2020

Last Updated on March 16, 2023

Though its rollout is just beginning, the new Cybersecurity Maturity Model Certification (CMMC) framework from the US Department of Defense (DoDis gaining interest and momentum across the US government—and across the globe.

Katie Arrington, the DoD’s CISO for acquisition and sustainment and point person for the CMMC, has been upfront in saying she believes the CMMC “will become a standard for the whole of government rapidly.” 
Evidence is building that she is correct. Many of the CMMC insiders we’ve interviewed for The Virtual CISO Podcast have said likewise, including Ben Tchoubineh, Chair of the CMMC-AB Training Committee and Stuart Itkin, VP of Marketing at Exostar.
Recent podcast guest Chris Lank, Founder and CEO at SaaS compliance platform provider Ivis Technologies, is another CMMC expert who is personally seeing worldwide interest in CMMC adoption.
“We’re telling people to get started now; don’t wait,” says Chris. “CMMC is coming wherever you are. It’s already starting to cross over outside the DIB [US Defense Industrial Base].”
Chris continues: “A few weeks ago, Katie [Arrington] was on a webinar for the guys at PreVeil. And she essentially said that it’s now going to come out that if you’re a publicly traded company and you have to be Sarbanes-Oxley Section 404 compliant, by 2021 you’ll have to be certified possibly up to CMMC Level 3.”
“We knew that this standard was going to start migrating outside of the DIB to all the parts of the federal government, and that’s already starting to happen,” Chris reiterates.

“Just for the record, we’ve already seen it,” adds host John Verry, Pivot Point’s CISO and Managing Partner. “I reviewed a contract for an eDiscovery client of ours that’s ISO 27001 certified. And it had NIST 800-171/CMMC language in it, where they’re saying, ‘Hey, this is where we expect you to be.’”



Chris replies: “Eventually it’ll start migrating down. So it’ll be federal and then it’ll hit state and then it’ll hit local. Let’s say you’re a small supplier out there right now, and let’s say you just do something for the state of New Jersey or the state of Arizona. Right now you may not be required to do this. But odds are that within 24 months, you will be required to do it in order to get on those state contracts.”
“This is an insane inflection point in information security if this goes the way that folks like you and I are thinking about it,” echoes John. “CMMC becomes a US standard for information security. And then beyond that, I’ve already talked with people in Canada, the UK, Australia and Singapore about it. Because we’re hearing the fact that other countries are looking at what we’re doing and saying, ‘Hey, how do we piggyback on this?’”
One reason the CMMC has “international appeal” is that it incorporates input from multiple standards from multiple nations, such as the UK’s Cyber Essentials and Australia’s Essential Eight security baseline, not to mention ISO 27001.
“The idea is that eventually this will be the worldwide standard,” opines Chris. 
If your company does business directly or indirectly with the DoD or other US federal agency, moving towards CMMC compliance now is almost certainly a good idea, as you want to be ahead of this gargantuan curve… not behind it.
Our podcast episode with Chris Lank is the perfect briefing on CMMC compliance challenges and how a SaaS tool can help support compliance.
To hear the full show featuring Chris Lank, click here. If you don’t use Apple Podcasts, click here.