A Tale Of Two BD Managers

It was the best of times; it was the worst of times. It was the age of ignorance; it was the age of awareness. It was the age of unprecedented cyberattacks; it was the age of Cybersecurity Maturity Model Certification (CMMC).

Into this turbulent time, we introduce two Business Development (BD) managers: Buzz, who works for Silo Corp., and Dev, who works for Enterprise Inc. Silo and Enterprise are rival Department of Defense (DoD) subcontractors, and their respective BD managers each hope to land a lucrative contract with PrimeCo, a major DoD supplier that was recently certified at CMMC Level 2.

Buzz’s Story

Buzz has been a BD manager for more than twenty years. He knows the ins and outs of Silo’s business and has won several awards from the company for securing numerous lucrative contracts with major clients. He also knows quality management and has been involved in Silo’s ISO 9000 and AS9100 certifications, attesting to their superior quality management.

However, there are some aspects of the business with which Buzz is less familiar. One of those is cybersecurity.

It’s not really his fault. Silo’s culture encourages employees to work hard in their own departments and let their coworkers in other departments develop their own expertise. Buzz sees cybersecurity as the IT department’s responsibility. He knows it’s important; he’s careful not to share his passwords and to avoid clicking on suspicious links in emails. He’s even aware of CMMC and that compliance may become an issue in future contracts with clients. But CMMC is under IT’s purview. Buzz assumes they are pursuing certification, but he hasn’t been involved in those efforts.

Instead, he goes about his business of pursuing new clients and casts his eye on PrimeCo. Having researched PrimeCo’s DoD business and their subcontracting needs, Buzz is sure that Silo can deliver for PrimeCo and that the two companies can form a winning partnership.

Unfortunately, he receives an unpleasant surprise. PrimeCo’s new contract requires that any subcontractor who handles government CUI—which Silo does—must be certified at CMMC Level 2. He contacts IT to find out the status of Silo’s certification only to receive more bad news. They are pursuing certification but are very late to the game. They have only recently begun working with a consultant to become compliant and are not quite ready to be certified. Moreover, they’ve looked into engaging the services of a CMMC Third Party Assessment Organization (C3PAO) when the time comes for assessment, but there are only a limited number of authorized C3PAOs, and everyone they’ve contacted has a months-long backlog.

Buzz makes his pitch to PrimeCo and explains that Silo is working on its CMMC Level 2 Certification but isn’t quite there yet. However, he notes, their AS9100 certification is up to date. The PrimeCo rep is adamant: AS9100 is not enough. CMMC Level 2 Certification is required to be an approved supplier on this effort. PrimeCo can’t afford the risk of losing their own contracts by working with a subcontractor that isn’t certified. Without CMMC, Silo can’t even get a foot in the door.

Dev’s Story

Dev is a little newer to his role; he’s been a BD manager for about five years and has stacked up a few successes of his own during that time. His company, Enterprise, has a different philosophy than Silo’s and encourages interdepartmental cooperation. So, Dev has taken a strong interest in cybersecurity since the start of his tenure there. He has followed CMMC from the initial proposed ruling and has persuaded Enterprise’s leadership, IT Team, and other department stakeholders that compliance is in the company’s best interest.

Like Silo, Enterprise handles government CUI, which means that Enterprise will need to be certified at CMMC Level 2. Dev knows CMMC Level 2 is based on NIST SP 800-171, and he has encouraged Enterprise to follow those requirements, knowing it will give them a head start when it comes to CMMC compliance. Enterprise formed a CMMC Compliance Team with executive sponsorship and key stakeholders across the company. As a member of this team, Dev has been in touch with IT as they’ve gone through consultations, remediations, and readiness assessments, and he’s helped research C3PAOs. Once a C3PAO was selected, Dev participated in the Level 2 assessment. Further, he’s used all these activities as selling points when pursuing new contracts.

When the PrimeCo opportunity arises, Dev is prepared. He assures PrimeCo that not only can Enterprise meet their operational needs, but they are also certified at CMMC Level 2, thus meeting the compliance cause. PrimeCo’s response: “Fantastic! You are officially on our list of approved vendors, and we look forward to getting started with Enterprise!”

Which Story Will Be Yours?

As a Business Developer, you have a role to play in compliance. Will you leave it all to IT and hope that when the time comes to sign a new government contract, your company will be ready? Or will you play a more active part in shepherding your company toward compliance?

The latter is a far, far better choice, and you don’t have to do it alone. CyberNINES is here to help! Contact us at this link to find out how we can work together to prepare your company for CMMC.

Next up—comparing CMMC with ISO 9000 and AS 9100

Resources

• https://dodcio.defense.gov/CMMC/About/
• https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
• https://www.nist.gov/blogs/manufacturing-innovation-blog/what-nist-sp-800-171-and-who-needs-follow-it-0
• https://www.archives.gov/cui/registry/category-list
• https://cybernines.com/cmmc-overview
• https://blog.cybernines.com/tech-at-the-top-c-levels-crucial-involvement-with-it-and-cybersecurity
• https://blog.cybernines.com/the-time-is-now-convergence-of-cyber-and-physical-security
• https://blog.cybernines.com/controlled-unclassified-information
• https://www.pipelinepub.com/cybersecurity-assurance-2024/CMMC-cybersecurity-certification-guide