· 3 min read
If anyone in the world of cybersecurity has a clear-eyed perspective on the challenges facing tech companies in today’s environment, it’s Jeff Dalton, board chairman of the CMMC-AB.
The acronym stands for Cybersecurity Maturity Model Certification Accreditation Body. His group advises the U.S. Department of Defense (DoD) on the CMMC program, which provides cybersecurity training, certification and third-party assessments for defense contractors who do business with the department.
The DoD created the CMMC in 2019 to upgrade the department’s cybersecurity guidelines for defense contractors from a self-reporting model to one that requires improved data security measures. Since 2017, all contractors have been required to self-assess and report their cybersecurity readiness under the NIST SP-800-171 industry standard.
These efforts were in direct response to serious data breaches in the defense supply chain in prior years. The DoD reached out to tech industry partners to find new ways to address vulnerabilities within the defense industrial base (DIB) infrastructure. A big part of that response was the CMMC program.
Dalton spoke with Rhia Dancel, a cybersecurity expert at NSF-ISR, at the recent Information Security Symposium hosted by NSF-ISR, a global management systems certification organization. The symposium was designed to highlight the importance of companies creating a culture of data security compliance and certification.
Dalton jokes that his wife has to remind him that the CMMC-AB board chairmanship is really his second job. His first happens to be serving as president and CEO of Broadsword, a performance innovation company that uses agile methods to help clients create more efficient processes within their operations.
He and his CMMC-AB colleagues have a special concern related to small defense contractors with small budgets. The smaller firms understand that they have to improve their data security practices or lose the opportunity to do business with the DoD. The question is: How do they do that without straining their modest budgets?
Dalton’s advice is simple and straightforward. “There’s no rule that says you have to hire someone from the outside to do it and spend a lot of money,” he says. “Understand the meaning of the CMMC practices and how they work together. Then conduct your own self-assessment and try to focus on more of an integrated approach.”
What motivates a tech company founder and president to take on the additional work that comes with leading the CMMC-AB board? For Dalton, it all comes down to a sense of responsibility. He sees it as his role in the cybersecurity war the U.S. is now engaged in — even if a large part of the population is unaware that it’s happening.
“People should want to do this because we’re under attack,” he says. “Lots of the companies watching today probably have had breaches, and they know what it’s like. They know it’s a very bad thing. The town I live in just had a ransomware attack and ended up having to pay all this money.
“We don’t want to have to do that. So we have to stop it. This is the year for companies to all step up and say, ‘We need to fix this problem.’ And CMMC is a good solution to get that going and really establish a solid baseline of improved security.”
Spoken like a man on a cybersecurity mission. Even if it means working two jobs.