A couple of years ago, one of STRYKER’s main customers, who is a prime contractor for the federal government, gave us a heads-up that we would need to have Cybersecurity Maturity Model Certification (CMMC) in a few years.
CMMC is a system of compliance levels that helps the government, specifically the Department of Defense (DOD), decide if an organization or business has the necessary security to work with vulnerable data. In a nutshell, the goal of CMMC is to ensure that defense contractors do not get hacked, resulting in the loss of sensitive defense information that could find its way into the wrong hands.
We had gone through something similar before in regards to our ISO 9001:2015 Quality Certification. Needless to say, I thought, “Here we go again. I’ll just deal with this later. It probably won’t happen anyway.”
Being a small 22-person company, I thought there was no way STRYKER would need to be certified to this level. Fast forward to 2022 and our prime contractor customers are reiterating that CMMC is coming down the pipeline and led by the DOD.
It was a surprise to me that the DOD was going to require all prime and subcontractors to be cybersecurity certified by 2024 (approximately). If your company touches any Controlled Unclassified Information (CUI), then your company needs to be CMMC.
The first step in my journey through CMMC was emotional. We were already in survival mode coming out of a pandemic, trying to grow our company with increased costs, supply chain issues and all the other normal challenges of business. This was another thing added to the list of small business struggles.
After I got over my emotional reactions, I needed to grasp an understanding of the reasonings behind this and get on board. I started researching all the ways CMMC could be a meaningful endeavor for the future of my business and for our future as a strong country.
There were a few things that hit home with me during the CMMC seminars that I attended to gain knowledge about certification. CMMC is a story about the quick and the dead. This means that the sooner you adapt to this, the better. Either you are CMMC or you are not. If you are not, then you are out.
Someone said to me, “The government doesn’t want to do business with companies who can’t keep secrets.” That made sense. Big or small, if you cannot prove that you are taking care of the secrets that are proprietary to the country, then you are a risk.
Throughout this journey to certification, I hope to share my experiences as a small-business owner and the realities of the CMMC process for STRYKER. If you are also considering this cybersecurity journey, follow along to reap the benefits of what we’ve already come to learn.