April 28, 2020

Last Updated on January 13, 2024

Is your organization ready for CMMC?

As CMMC is rolled out over the next 6 years, it’s going to become a reality for more and more DoD subcontractors. As many as 50,000 organizations by 2025. 
Thankfully, there are folks out there who are experts at this. 
On this episode of The Virtual CISO podcast, I got a chance to chat with Stuart Itkin, Vice President of Marketing & Product Management at Exostar. Stuart and his team are leading the charge when it comes to CMMC readiness. 
They’re pioneers in leading the way for folks in the Defense Industrial Base (DIB).


“But my organization is already subject to NIST 800-171. We attest every year. Why do we need to worry about CMMC?” 
For a lot of folks, the answer is, “Because we have to in order to bid on this particular contract or project.” 
These two sets of requirements are going to coexist for a period of time, and the number of contractors and subcontractors subject to CMMC is only going to grow over time starting in 2021. 
And, as of 2026, according to Stuart, all RFIs and RFPs will have CMMC requirements. 
So these requirements from NIST 800-171 and CMMC are going to coexist. Meaning a given supplier may have to comply with CMMC for one contract, and still report with respect to NIST 800-171 for another. 

How Can Exostar Help? 

One of the advantages of working with Exostar is they are giving an easy mechanism for primes to gather more than just a letter of attestation from subs saying, “yea, we’re doing this.”

They’re giving primes the ability to review and see some of the artifacts and information about the security implementation. 
As a subcontractor who is already complying with NIST-800-171, Exostar’s platform gives you a simple and trusted way to show primes you are “audit ready”.

Ultimately, with CMMC, Exostar’s intent is to build similar tools to help suppliers, as well as primes, to be able to go through that process of not only answering the questionnaire, but understanding what it is that they need to put in place.

What are the tools they need to invest in? What are the practices they need to put in place? So that they can say, “Yes, I’ve done this and I’m actually doing it.” and provide the evidence so that it can be reviewed by an assessor at some point. 

What Exostar is doing is building tools that will help organizations across the DIB go through that process and make the process of actually achieving CMMC certification much easier for the entire DIB ecosystem.

Having the Right Posture

The tools that Exostar is developing are going to be incredibly helpful, because they’re going to allow those primes to put together a capture team composed of the organizations that they feel have the right cybersecurity posture. 

Ultimately, their vision is to build solutions for the contractor base that provide a 360-degree view of the risk of suppliers. 

And not just cybersecurity. It includes financial risk, reputational risk, and more. 

This post is based on a portion of an episode of The Virtual CISO Podcast, featuring Stuart Itkin. To hear this episode in its entirety and others like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.

ISO 27001 Recipe & Ingredients for Certification eBrief

ISO 27001 Recipe & Ingredients for Certification eBrief Discover what you need to achieve ISO 27001 certification! This eBrief will give you a quick and easily digestible introduction to the ISO 27001 standard and the process of becoming ISO 27001 certified.