June 29, 2022

Last Updated on January 12, 2024

CMMC 2.0 continues to roll forward, with the US Department of Defense (DoD) making announcements and clarifications about the program in recent weeks. DIB orgs and consultants are also sharing “lessons learned” about costs and missteps as they go through the CMMC 2.0 certification process, including helping clients prepare for certification.

John Verry, Pivot Point Security CISO and Managing Partner, talks about the DoD’s recent CMMC 2.0 announcements and what he’s been hearing from peers on a recent episode of The Virtual CISO Podcast.

Negative impacts of improper guidance

John relates that he’s heard about more than one instance of DIB orgs receiving “bad guidance” from consultants helping them prepare for CMMC 2.0 certification.

“One company in particular that had a painful process went with a Registered Provider Organization (RPO) that give them incorrect guidance,” said John. “They did a migration from an on-prem Microsoft Exchange environment to Microsoft 365, not recognizing the fact that it would not be suitable for CUI [controlled unclassified information]. So now they’re going to have to do another migration to Microsoft’s GCC environment—not so good.”

John also connected with another firm that had a similar challenge. Their RPO recommended that they migrate their email environment to Microsoft GCC. Which is fine for most CUI. But the consultant didn’t recognize that different types of CUI data this company handled, in this case International Traffic in Arms Regulations (ITAR) data, require additional protections. In order to meet ITAR requirements, they need to migrate again at significant expense to Microsoft GCC High.

Look beyond certifications

“Certifications are important, and an organization cannot provide [CMMC] services unless they’re certified,” John notes. “But I think it’s equally important, or perhaps even more important, that they’ve got significant experience in dealing with these types of data like CUI, and have done work in the DIB. It is a relatively unique world to live in.”

What’s next?

To catch John Verry’s complete CMMC update podcast, click here.

Want more CMMC 2.0 guidance? Try this recent podcast episode on the CMMC rollout: EP#82 – Kyle Lai & Caleb Leidy – Ongoing Challenges in CMMC



New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.