Debunking CMMC Myths: ‘I’m Too Small’ Isn’t An Excuse with Expert RevOps Leader Valerie Cobb

Understanding and achieving CMMC (Cybersecurity Maturity Model Certification) is vital for businesses working with the Department of Defense, and it’s not as simple as saying, “Trust me, we’re secure.” In this episode, John Riley sits down with the passionate and insightful Valerie Cobb, a CMMC expert with Omnistruct, to dissect the complexities and necessities of CMMC. Valerie doesn’t hold back, addressing common misconceptions like “we’re too small” or “Congress will change it,” with a direct, no-nonsense approach that matches her zeal for protecting critical data. Together, they dive into why CMMC is crucial now more than ever, contrasting it with the limitations of FedRAMP and highlighting the shift from self-attestation to third-party and DOD audits. Valerie emphasizes that compliance is not just a cost, but an opportunity for businesses to stand out, encouraging proactive steps towards certification and leveraging it as a strategic advantage in securing government contracts. If you’re looking to understand CMMC and how it can transform your business’s security posture and growth potential, this episode is a must-listen!

Watch the episode here

 

Debunking CMMC Myths: ‘I’m Too Small’ Isn’t An Excuse with Expert RevOps Leader Valerie Cobb

We’ve got a special show with Valerie Cobb and myself. She’s already cracking up. This is an easy one for me. All right. Is it the radio announcer voice? Is that the problem?

It is the radio announcing voice. I can’t even do it. I have such a tinny voice. Go ahead. You do that.

I’ll try and make it more like butter. All right. Anyway.

I like it.

Debunking CMMC Myths: “I’m Too Small” Isn’t An Excuse

We are going to talk about CMMC and the need for CMMC. Some of the things that we’re hearing about when we’re talking to people about CMMC and some of the people that are trying to avoid it. Valerie, you’re talking to a lot of these customers and potential customers and so what are you hearing when you talk to them about CMMC? It seems like we’re getting a number of different responses. Give us a couple of samples.

 

 

Number one, first of all, it’s easy to take off Valerie. It isn’t easy, and I’m pretty patient. At the end of things, when we are in business and we are transacting business, I don’t care if you’re a nonprofit, you’re transacting some kind of business. You’re calling up investors. Here’s your cold caller, “I’ve got this country that needs water,” and all of these things. You are selling, getting donations to your nonprofit. That’s true. There’s nothing wrong with that. I donate all the time. I love donating. That’s not the problem. When you’re in your country, I don’t care what country you’re in, if you are not protecting the citizens of that country, because that’s what you, as a government agreed to do.

You might be born into that country. I can’t say one way or the other. Maybe you moved to that country because I have lived internationally and John’s rolling his eyes already and looking at the time. I’m just kidding. Anyways, to answer that question, if we are servicing the US government in this situation, CMMC is servicing the US government, you can be a contractor outside of the United States and still service the US government, but you’re servicing the US government’s defenses.

That means that you’re selling into that government to help protect the citizens of that community. I think the thing that bothers me around CMMC, and again, I get opinionated, is we send out our soldiers, we send out defenses to protect. I’m not talking immigration, I’m talking about threat, whether internal, external, those kinds of things. You have to pass an assessment. Will it be enacted? I hear all the time, number one, “I’m too small as a business to make that happen.”

You are making money as a business. You’re not a nonprofit in this one. Although, like I said, that’s questionable because there are nonprofits and they have to still pay their bills. There’s still bringing in money. There is some kind of currency that’s transacting. They say, “I’m too small. I’m too I’m too big.” The biggest one recently was, “Because I’m so small, I’m going to have congress change this.” I’m a US citizen right now. I’ve lived in other countries. I don’t want my military, I don’t want my defenses down for the excuse that we are too small.

First of all, why on earth are you trying to change Congress to begin with? The reality is how do you defend and put people at risk if you’re not willing and you’re selling it? Get out of the business. Don’t sell into that. That’s how I feel about it. It’s me as a citizen. I was sitting, John. I was at CONEXPO and we had heavy equipment, and we had another nation that also had heavy equipment, and here’s their drones flying over our heavy equipment to steal that intellectual property. I’m standing there and they’re stealing that intellectual property. That wasn’t defending a border, but that’s my intellectual property that in hurts my company, hurts my employees. It hurts all of those things, the competition. Now say it’s the Department of Defense. That’s me.

 

 

CMMC Unveiled: Defining The Model & Its Critical Mission For DOD Security

I think from that standpoint, I mean, a little clarification on what CMMC is. CMMC is the Cybersecurity Maturity Model Certification. It’s really required specifically for DOD contractors at this time. What it’s supposed to do or what the purpose of it is to protect the data of the DOD, the Department of Defense, when there are things that are not supposed to be out for the general public.

We generally don’t find the blueprints for tanks online, for instance. Hopefully not. You can’t build one at home. You can’t 3D print one, maybe. That’s the reason that it exists. The question is, we’ve had top secret things for so long, why now? What’s this big push for CMMC now and, as you said, some people are saying, “I’m going to change congress,” or there’s too much cost, or there’s too many things involved with doing this. These contractors have been in this business for a long time and they’ve been getting this data for a long time. Why is this changing?

I’m going to go to a little story about Amazon to answer that question. Amazon, years ago, because I’m old enough to remember when they started and everything, were able to have so much data before any laws were enacted that they could probably reproduce and clone me to this day, simply because it’s been there for a long time. That’s what we look at.

When we look at trying to identify if you’re a threat, and you look at identifying the most least thing, maybe it was that years ago it was a pregnancy test, and all of a sudden, I’m getting recommendations for prenatal vitamins. I took a pregnancy test, now I’m getting prenatal vitamins. They know your patterns as a human. In AI, a lot of times, we can create deep fakes. We can do all sorts of things that seems so real.

 

 

To answer that question is any negative data, there’s so much data floating around that we don’t even recognize as something that could be used by a threat. I play on TV The Spy and James Bond, all this other stuff, you think about even hardly anything that goes in through an email, but why are you ordering 6,000 of these cogs?

You follow down the line of all where the data is going, and it’s like, eventually, you can build a submarine if you can follow the track of the data. I am not John Riley who probably could have put that in better technical terms, but I know I have external hard drives that probably has sensitive information about my family, my friends, my loved ones that you could rebuild me if you got a hold of some of my external hard drives from 2008.

If we’re trying to defend, the first thing that any threat actor does is go to the lowest hanging fruit. We talk about Target and the HVAC vendor. Lowest hanging fruit is the ones that are easiest to penetrate because I’m a threat actor, I’m not going to go to the hard thing. That’s too hard. I’m going to begin to profile bits by bits. As soon as I have enough bits, that’s where if I were doing bad things, which I never do because I am like this little angel all the time, but if I wasn’t, that’s where I would probably start in the background to build.

You asked why now. It probably should have been done 10 years ago, 20 years ago, maybe when Amazon first started, but we didn’t know about it back then. We didn’t really understand it completely, at least in my book. That’s opinion according to Valerie. Did I answer that question, John or did I dance around it?

 

 

The Evolution Of Trust: CMMC’s Shift From FedRAMP’s Self-Attestation

Here’s my opinion on it. For a long time we, we’ve had the regulations. Many people have heard of FedRAMP and the FedRAMP certification,

Many haven’t. What Is FedRAMP? You actually had to define CMMC. What is FedRAMP?

FedRAMP, I’ll call it the predecessor still to CMMC. FedRAMP is a certification program for applications or equipment or anything else that is purchased by the federal government, like encryption and different things are met during that. The FedRAMP certification of the equipment is a little different than manufacturing something that’s maybe secret or top secret or what’s called CUI.

Certain unclassified information.

When it comes to FedRAMP, though, a lot of businesses were able to do a self-certification and just a self-attestation. Yes, I’ve met all the requirements and therefore go ahead and gimme that giant contract.” As soon as they receive that contract, they found out that some other nation state was within their network and also had access to it. All those things that they signed off on, that they were FedRAMP and certified and self-attested just was not true.

You mean, “Trust me,” doesn’t work anymore.

 

 

That’s exactly what I’m saying. The reason for the CMMC is the DOD got tired of that and said, “Enough of that. If we’re giving you something that’s of value to us and marked as CUI, if you’re just a manufacturer and we don’t really care about the data, it’s already public knowledge, fine. We’ll allow you to self-attest.” That’s level one. At level two, “We’re giving you some more sensitive data. It may be older, it may be something that’s not quite top secret and what we’ll allow that to happen.”

“We’re going to have somebody come in and audit you to make sure that you’re doing those things. We’re going to make sure that that happens every three years to make sure that you’re keeping up with it despite changes, despite how you process changes in your organization. We’re going to every three years come in and have somebody audit you and actually tell us that you’re doing the right things.

There’s that top secret level that we’re going to give you the newest best tank or fighter jet data, and we want that protected 100%. Therefore, we don’t even trust that third party to come in and audit you anymore. The DOD is going to come in and audit you and make sure that you’re protecting that data. We’re going to do that on a regular basis as well as an unannounced basis to make sure that you’re meeting those requirements. It is all in response to what happened with FedRAMP and the lack of people keeping track of, or doing the right thing of actually meeting those requirements and staying with those requirements.

Now it’s trust, but verify and verify. A lot of companies just can’t say, “Trust me,” anymore, as you put it. This is the next iteration. That maturity model of certifications, that’s where we’re at. Getting Congress to change that or trying to tell your vendor, tell your prime contractor, “I don’t want to do that,” it’s just not going to be an option because they’ve lost too much data and they’re tired of losing that data. With FedRAMP being that predecessor, the rest of the government is actually still now looking at taking CMMC and making that more of the standard.

 

 

Either combining FedRAMP, which is 853 and CMMC, which is 80171, NIST ones, and combining those and making it one set of standards across the board. I think they’re waiting to see how well CMMC does for the DOD contractors first. Ultimately, we may run into something where it becomes more of a standard across the board for all contractors with the government instead of FedRAMP.

You’re so calming when it comes into that spitfire, because to me, it really bothers me that organizations have such apathy over it. It’s like it’s not going away, but you should have been probably working on this anyway. That’s where I get ticked, because you are protecting, as an organization, your customers. That’s what you’re doing.

You know me. I work in the small business realm. I totally get you. Cashflow sucks when you’re trying to figure all this stuff out. We end up with these thinking that this is a cost expense versus an opportunity expense because it will also be many that realize that they will get contracts because they have complied with this. Whatever the cost was, they can work agreements with prime contractors to help them get ready or there’s a lot of various different grants running around out there. I find that, “It’s a cost,” no. It’s going to be like toilet paper. You need it.

Seize the CMMC Opportunity: Leapfrog Your Competition & Secure Contracts

As an executive of a company, it’s your job to find the opportunities. This is one of those opportunities for you to leapfrog over your competition, work with your prime. Go to your prime now and say, “I’d like to become CMMC certified and I want to do it more quickly than your other people, because I want to earn your business faster.”

That is the way to, to the prime’s heart. “I want to earn more business if I do this with you or can you help me get here?” I earn more business out of this and be proactive. If you’re going to sit back and go, “I don’t want do it,” drag me kicking and screaming, they’re going to go to that other person that’s there knocking on the door going, “I’m ready. Put me in coach, I’m ready.”

I’m a big advocate no file folders, no spreadsheets to try to manage this because you get your assessment coming out and it’s like, “You’re not going to pass that thing.” Again, this is a shameless pitch. It’s not a shameless pitch, but it is, you should, at least bare minimum, be tracking in some kind of GRC platform.

 

 

Even more so than that. It is not the certification that’s the thing. It’s not the model that’s the thing. It’s not the compliance thing. It’s the maturity. I don’t care who you are, I have never seen a baby walk out of the womb.

This episode is now called, I Have Not Seen the Baby Walk Out of the Womb. With that said, we’ve had another good one. Thanks for inviting me on the show, John

It’s a pleasure. I appreciate your perspective on it. When we did the initial, you were fired up about this one. I may look more imposing, but when this comes to this, Valerie is the spitfire on this one. If you have more questions, get her on the phone and she will tell you.

 

 

I will tell you honestly and truthfully. No, you can’t say, “Trust me,” but yes, at the end of the day, I don’t know. I’m a champion of small business. I love them dearly. We all know this. At the end of the day, I want them all to do succeed. There’s 33 million of them in the United States alone. I want them to win. This isn’t anything to do with trying to sell a product. This is actually a winning strategy.

You actually should do this so that you separate yourself from the men, from the boy, but you obviously, and I can’t even say men, that’s not even POC anymore. That’s not even politically correct. I can’t say that either. What can I say, John? I just feel like I can’t say any words at all. At the end of the day, you should protect yourself from the competition. You should also be willing to protect your customers, whatever they are. Whether it’s a nonprofit, whether it’s a whatever, you should be willing to do it because if you don’t, it is only a question of time.

Somebody else will is what it comes down to. If you’re not stepping up to the plate, if and taking those big swings, using baseball as an analogy, you’re not going to get the home runs. You’re playing defense. You’re not going to get there. If you are running a business and one of your customers happens to be the DOD, this is your chance to shine and really step up and make it happen. Be the leader who’s there. Be the coach.

It’s a total opportunity. Alright, bring us home. What do you do with this?

Obviously, if you need help getting CMMC certified or need to understand better how to do it and increase that maturity, if you’re not ready to walk out of the womb, then let’s figure out a way to help you out. Always like, follow and share this with other customers that may need help or that are in the same boat, your best friends that you’re drinking beer with or whatever. Don’t do it as you’re manufacturing, but be around the same time. Honestly, it was a great time. Thank you, Valerie, for being on the show. I appreciate it. Not yelling at everybody, that was a good step here. I appreciate it. Thanks, everybody, for reading.

 

Important links

 

About Valerie Cobb

Revealing why people buy to drive revenue. Valerie Cobb is an award-winning leader with over 25 years experience, and is passionate about growing revenue.

She has mastered getting to the root of the buying-and-selling dysfunction that is often common in organizations on the path to consistently producing high-performing sales.

As Chief Revenue Officer of Omnistruct, she is instrumental in aligning sales, marketing, and the client experience.

Categories: Blog, Podcast

Ready to take the next step?