Queen Consulting & Technologies
CMMC Registered Practitioner, and Certified Project Management Professional (PMP) with over 15 years’ experience in the IT industry, Nathan has a proven track record in both the private and public sector.
Prior to starting ASCERTIS Solutions, Steven Senz was a key advisor to the federal government for cyber-security and cloud migration. He has presented to multiple Federal and Commercial forums on cyber security issues dealing with privacy and e-mail fraud.
What is your background when it comes to working with Government Contractors and in what ways are you qualified for CMMC guidance?
Steven: I’m a fully certified cybersecurity professional who has been doing assessments on Federal Government Information Systems since 2008 at the unclassified up to TS/SCI level. I was a federal contractor until 2019 when I transitioned to private practice to help small businesses with government contracts meet the CMMC requirements. I’ve been following the CMMC guidance since the NIST 800 171 DFARS requirements and have been involved in a lot of the comments regarding the CMMC procedures and practices.
Nathan: I am a registered practitioner with the CMMC accreditation body. This means that I have training at the basic level and am able to help businesses understand and prepare for their eventual assessment with CMMC. My background and previous experience includes work as a government contractor with the HHS for 5+ years where I was responsible for assisting in the 800-53 compliance for NIST for several agency software systems by preparing for all of the assessment meetings. For the last six years, I have been running an IT company that supports the basic and intermediate cybersecurity needs of government contractors. Contracting as an outsourced CIO and guiding organizations through their CMMC journey.
Talk about CMMC Assesments has been thrown around for years now, is this actually going to be implemented?
Steven: CMMC actually started before the Trump Administration and so it’s gone from Obama’s administration through Trump’s administration and now it’s in the hands of the Biden administration. Some people wonder if this is still a prime focus for the government, even though it’s been through so many different administrations. I can tell you that, because of all of the cyberattacks – ones that have affected our pipeline system, the gird, and hospitals – the government has not changed its position through the previous administrations and this is happening. As far as the government is concerned, it’s probably not happening fast enough for them, but it’s certainly not going away.
How will CMMC impact my business?
Steven: The short answer is that going forward all of the DoD and IC and civilian agencies will mandate CMMC compliance in their solicitations. So if you aren’t certified you will be precluded from doing any further government business that has anything to do with IT. Plus meeting at least the CMMC level one benchmark is a good cybersecurity practice that will look good with your clients as they’ll be able to know that the information they are providing you is protected against any threats.
Nathan: Well said. As Steven mentioned, if you don’t get certified, then you can’t win certain contracts with the government. Which translates to millions, if not billions, of dollars. So if you don’t get to compliancy that’s required in contracts then you don’t get to play ball. This is obviously game-changing for businesses that require these contracts as their revenue. Another thing is that other agencies outside the DoD, such as Homeland Security, have started to announce that they have plans to adopt the model or something similar to CMMC. I’ve also heard that some state and local governments and financial institutions are looking into setting up this model as a sort of standardized process that could be used for vetting their supply chain and vendors for security. So there are a lot of good reasons, but I think that one of the most important things for small businesses to consider is what the cost could be if they do not reach that point.
If I am just a reseller do I need to become CMMC compliant?
Steven: There are two types of resellers. Resellers who buy in bulk and then ship it out to various locations for the Government. These resellers aren’t adding value to the product itself, they’re just making a large purchase and then shipping it out to the various locations. These companies do not need to be CMMC compliant since it is just a pass-through. However, if you are a reseller and you are adding value to the product, then CMMC applies to you. For instance, if you are taking a bunch of Dell Laptops and putting in a configuration for a client, at that point you are putting value into the product and CMMC will apply to you.
There are multiple levels of CMMC, what level will my company need to achieve?
Steven: If you are a government contractor and your level of information is considered FCI, you only need to reach CMMC Level 1. But if you are working with CUI, which is considered sensitive, you need to be at CMMC Level 3.
What advice do you have for someone who will need to pass a CMMC Assessment?
Steven: You should be starting now. Assessments will begin first quarter 2022. If you are a small company that has one person who really understands IT but the rest of the company’s expertise lies elsewhere, achieving a CMMC level one rating will take about six months. A small company with one person who really understands IT and wants to reach CMMC level three, it will take about 18 months. So start now because the clock is ticking.
Nathan: I second all of this and would add that the gaps we’re seeing over and over again for a lot of small businesses is that the small businesses we’re working with don’t have documented procedures, or they’re extremely limited, and a lot of them don’t have in-house people who know what to put into the CMMC documents or implement them. So I would say it is beneficial to hire someone who is knowledgeable and certified to help guide you through the process and don’t wait until the last minute to do this.
I hear you’re hosting a Free Webinar on the MUST Do’s to Pass the CMMC. What will I gain from attending?
Nathan: Come to the webinar because, if nothing else, you’re going to come away with a lot of information on insider knowledge, tips, and tricks of what you need to focus on so that you don’t spin your wheels and waste time and money where you shouldn’t. Furthermore, you’ll come away with tangible, helpful aids including a vetting questionnaire to help your business determine who is a good contractor to work with. You’ll also come away with a cheat sheet of what areas you need to do your CMMC maturity to help guide you through the process in a nice and easy way. And, last but not least, you’ll get to see a tool that will help your business track and automate the outputs for your entire gap remediation and assessment process that would take much more time, effort, and money if you were to go with a different tool or vendor.
Steven: I think the other thing that Nathan alluded to is that we are small companies with low overhead committed to helping other companies achieve CMMC compliance in the most cost-effective manner possible. You can always buy a more expensive tool or hire more expensive consultants, but we understand the margins that small businesses have and we are very sensitive to that. And so we provide you grade-A service, but we don’t charge a grade-A price.