In a time when many companies are focused on day-to-day operations, Moore members across the globe are helping businesses thrive by keeping an eye on what comes next. From updated legislation to fluctuating compliance requirements, many industries deal with constant change, and Moore members, like DGC (DiCicco, Gulman & Company) are here to help.
A new Cybersecurity Maturity Model Certification (CMMC) is set to take effect late 2021, impacting about 400,000 companies in the U.S. defense industrial base. While these cybersecurity requirements are not yet in effect, they will supersede existing regulations for the defense industrial base.
“The changes are coming later this year, so companies should be preparing now,” said Nick DeLena, CISSP, CISA, CRISC, CDPSE, IT risk assurance principal and practice leader at DGC. “The governing law of the land today is a self-assessment model, so it’s up to you to implement those requirements. The problem with that is that a lot of companies – a majority – have not taken that very seriously.”
Prior to the announcement of the CMMC, the Department of Defense (DOD) began performing audits of companies’ progress in implementing NIST SP 800-171 and realized there was a widespread lack of adoption, despite it being contractually obligated, and despite the consequences of prosecution under the False Claims Act.
“Because the supply chain is so large and the supply of assessors and certifiers won’t be that big, they have to orchestrate the CMMC implementation in such a way that the requirements are not excessive,” said DeLena.
This translates to certain critical military programs seeing these requirements hit this year, including 1-15 prime contracts. The DOD is operating with the goal that more firms like DGC will be certified to provide this guidance as the roll-out continues.
“There’s a lot of interest from accounting firms because that certification approach fits culturally with what we do,” said DeLena. The certification also takes into account things like independence, quality control, internal reviews, etc., creating a natural synergy between CMMC and accounting firms.
Companies affected by this new requirement are taking one of two approaches. There are the companies who are waiting to see the requirement, which is not advised, but a lot of companies trying to get ahead of it, understand the process, and engage the best professionals to implement the process and gather the appropriate documentation.
DGC has been actively helping companies perform gap assessments against various levels of the CMMC and guiding companies to remediate deficiencies, in many cases writing policies for clients or helping to shape new procedures that meet the standard’s requirements. DGC has been vetted and cleared by the CMMC Accredation Body and is a Certified 3rd Party Assessment Organization (C3PAO). They expect to soon offer these additional certification services in addition to their current consulting and preparatory services.
DGC has assisted a wide variety of companies in the defense industrial base prepare for CMMC, including the following industries:
- Ruggedized computer components manufacturing
- IPhotonics/laser manufacturing
- Shipbuilding
- Research and development
- Architecture and engineering
- Industrial components testing
- Software design and development
“Because the FAR and DFARS regulations span not only cybersecurity but also include accounting practices, we’re finding more and more that cyber is the top issue that starts the conversation,” said DeLena. “Often times clients will come to us because of CMMC, but while we’re talking with them, they bring up other concerns that we can address with our range of accounting services.”
Nick has been working with clients in this space since 2015, watching the evolution of the requirements and remaining active with the defense IT community. “We see huge advantages being able to offer a wide suite of compliance services to defense contractors, beyond cybersecurity,” said DeLena.
Taking lead in this sector, Nick and his team have also found ways to bring CMMC into the conversations with fellow Moore members. Nick, along with Sean Linton from Lurie LLP, shared their insights with the More North America Consulting Community, generating discussion and follow-up conversations. DGC also has produced resources including articles and videos on CMMC which are available at dgccpa.com.
“Within CMMC there’s going to be independence requirements,” said DeLena. “So if you’re consulting with a company and you’re not able to do their certification, firms like DGC and others within the Moore network will be needing to refer in another firm. There’s a real opportunity within the Moore network to build relationships with others like myself that head up the cybersecurity groups, to get a sense of whether they want to collaborate and work together on this significant initiative.”
For additional insights into this offering,
check out this video podcast from DGC, featuring DeLena and DGC IT Risk Assurance & Advisory Manager Scott Goodwin. You can also visit DGC’s
IT Risk Assurance & Advisory web page for additional resources.