Legal and Compliance Hires has been talking to several organizations recently about the next compliance hires that they are making for their teams. Historically, these conversations have been relatively straight forward for us (and them). Its either “we need a trade compliance manager”, or “we need a new hire to handle SOX requirements.” Because these positions have been well established in these organizations, companies know what they want and what lane they fall into – i.e., Supply Chain, Legal, Finance or the Ethics and Compliance Department.
Who owns CMMC activity in your organization?
Lately we are seeing an upward trend in companies that are looking to obtain Cyber Security Maturity Model Certification (CMMC) and are interested in making the right hires to undertake that activity. In very brief terms, the CMMC is an external accreditation that is aligned to the Department of Defense’s information security requirements for Defense Industry Base (DIB) suppliers and partners. Being certified essentially illustrates that the company can safely and compliantly handle certain government information[1] as it flows up and down the supply chain. The assessment considers many “controls” that are divided into the families of Access Control, Audit and Accountability, Awareness and Training, Configuration Management, Identification and Authentication, Incidence Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Management, Security Assessment, Systems and Communication Protection and System and Integrity management.
The difficulty in implementing and administering a CMMC program is entirely dependent on the posture of the company that wants to implement it. Solid, well documented, business processes, robust IT systems and a successful program deployment history are the yardsticks for success.
So why have these conversations with Legal and Compliance Hires not been so straight forward as of late? One reason is that companies are still trying to figure out where in the organization the CMMC hires(s) will sit. I.e., who has the headcount?
Let’s take a brief look at some of the internal departments below in relationship to CMMC activity.
IT. IT has a lot of responsibility for the cybersecurity “backbone” in the organization. Network and system monitoring, introducing security measures such as multi factor authentication and IT maintenance are all activities that may be under the purview of the team. However, for CMMC activity, there is also the “front end” which includes access procedures, for example. Will you expect IT to write the company joiners and leavers policy to ensure that only those on a need-to-know basis have the right access to the right systems?
Compliance. Trade Compliance has a certain closeness with CMMC in some regards. Trade Compliance staff can classify items, which is a natural comparison to identifying Controlled Information types. Experienced Trade Compliance staff are also adept at building policy and procedure which is a major component for CMMC. Similarly, for the avoidance of deemed exports, the creation of technology control plans (TCPs) is akin to the flow and control of visitors which satisfies the physical control requirements for CMMC. However, it is unlikely that Trade Compliance managers have the experience in the IT and systems requirements space to achieve certification.
So where does CMMC ownership land?
The short answer is with everybody. The correct answer may be with a skilled project manager who is adept at bringing together all the relevant players. Indeed, achieving CMMC is a truly cross collaborative venture that will require input and accountability from IT, legal, compliance, engineering, data, HR and possibly others. The CMMC controls are vast and will sweep entirely across an enterprise.
Legal and Compliance Hires work with candidates that have deployed CMMC programs. We have your next hire covered in this burgeoning arena. Contact us today to book a quick call to discover how we can assist you in hiring your CMMC expert.
[1] Controlled Unclassified Information (CUI)