CMMC: Addressing Misconceptions as We Approach Implementation

When CMMC was first introduced, there were a lot of vocal critics. Louder more contentious arguments eventually gave way to more thoughtful discussions regarding how to improve the tenets of the program with the goal of ensuring overall improvement in defense industry cybersecurity. Now that we are getting closer to a final ruling, anti-CMMC arguments are emerging again around some of the same flawed thinking as before. This article aims to address these anti-CMMC positions head-on and shed light on the program’s true objectives.

Anti-CMMC argument 1: CMMC is a check the box approach to cyber.

Policies and procedures for handling data, settings for alerting teams when events occur, staff training, physical security measures, appropriate access controls, to name a few, are controls that assessments are not only designed to check, but also to ensure that the controls are set up correctly to continue protecting data on an ongoing basis. Or more emphatically stated, periodic evaluation of whether controls exist cannot be conflated with the controls only functioning on a periodic basis. Additionally, an assessment ensures that ongoing and dependable controls exist in an environment that has consequences of national importance.

Much of the DIB currently has either been unable or unwilling to effectively implement these foundational controls and an assessment helps the entire supply chain be more secure by detecting whether specific controls are indeed in place for all members, and that they are designed in such a way to maintain effective controls. Further, the pending CMMC regulation also states that as organizations makes changes to their infrastructure design, they are also required to record those changes and how the controls have been adjusted as well.

Anti-CMMC argument 2: compliance with cybersecurity regulations is prohibitively expensive for small businesses.

Marketing is expensive. Effective accounting procedures are expensive. Cybersecurity is expensive but breaches are an order of magnitude more expensive than the cost of effective controls. It is time that cybersecurity is viewed as a strategic imperative rather than a necessary evil to be ignored where possible because it is inconvenient or costly. This is especially true for small businesses as they are the first targets of foreign adversaries because they are expected to be the easy way in.  I know that our team factors this in and the cost of services are scaled according to the size and complexity of the organization. In addition, many prime contractors are working hard to set up programs to support their supply chains, resources are available to many via state run programs like the NIST MEP programs and there is also growing support available from industry based professional organizations and academic institutions. These resources will likely increase in robustness as the program becomes more mature. Would these programs be emerging without the catalyst of CMMC? Maybe. But probably not.
It is important to realize that once an attacker has a foothold in a small supplier it is easier to leverage that control to elevate privileges. Think about the damage that can be done simply by having access to one employee’s email account in a small business – customer accounts, messages on strategy, email lists – the exploitation opportunities from there are endless and there are ample examples of how such access have resulted in quick acceleration up the supply chain. We are sensitive to the fact that cybersecurity is expensive and that it is an even bigger challenge to retrofit programs into infrastructure where cybersecurity has been absent or inadequate but we also want to ensure that everyone, especially small businesses, understand what is at stake and why it really is of utmost strategic importance to protect your data.

Anti-CMMC argument 3: Commercial companies should drop out if the defense contracts are a small part of their business.

Defense Industrial Base (DIB) members with commercial lines of service should consider adopting some of the CMMC controls for their purely commercial endeavors if they have not done so already. Granted, specific requirements like data centers only being in the US are not necessary for protection of all commercial data, but a lot of the CMMC control requirements are baseline commonsense measures that are missing for a significant portion of the industry. Examples of common sense measures baked into CMMC that should be part of your basic security plan: Multifactor Authentication, effective policies and procedures for managing the confidentiality of your data (CMMC only addresses data confidentiality but you should also have effective policies, procedures and other controls in place to ensure integrity and availability), security awareness training, visitor tracking, and access controls for all as well as additional access controls for privileged users, to name a few. Without a baseline cybersecurity program of some sort, companies should not be surprised by a cybersecurity breach.

Anti-CMMC argument 4: CMMC is political and is being rammed through before another administration can review.

CMMC was initiated by a prior administration, approved by the current administration and is by all accounts and measures, a bipartisan effort.


The CMMC program is a crucial step in fortifying the defense industrial base (DIB) against cyber threats. By clearing up misconceptions, we can ensure a smooth implementation focused on the program’s true benefits: enhancing DIB cybersecurity and protecting sensitive information. 

About the author

Amy Williams

Vice President of CMMC

Amy Williams began her career in Accounting Information Systems, a precursor to cybersecurity that imbued her with the talents and knowledge that she uses today. A member of multiple fields of study, Dr. Williams has ample experience understanding fraud, system errors in internal systems, and internet security protection. She has been on the forefront of developing cyber strategies for supply chains since the world wide web made the internet popular for sharing data in business. With both a Master’s Degree and PhD from Virginia Tech, Amy Williams has held prestigious positions with the NY Citizens Crime Commission where she built an alliance with the FBI, and she led the development of BlueVoyant's CMMC and CIS Advisory Practices prior to joining Coalfire Federal. Back to Full Bio