Perspectives from an Authorizing Official (D03a)
Leveraging new compliance programs, like CMMC, and understanding the value is always challenged with fear, uncertainty, and doubt (FUD). The often-repeated claims of being a paperwork drill, a waste of money, a checklist mentality, and a barrier for innovation are thrown out by those challenging the effort. As a former Federal CISO (multiple) involved in building compliance programs, such as DHS and FedRAMP, it is important to understand the value and risk from an authorizing official’s perspective.
Compliance programs like CMMC and FedRAMP are routinely characterized as a contract issue. Unfortunately, this often confuses the enforcement/assurance mechanism with the discussion of value and risk. If you step back and consider the compliance program from the perspective of an authorizing official – you can have a more meaningful discussion regarding the potential impacts to mission, functions, image and reputation.
This talk will discuss many of the common complaints and counter arguments to help the busy professional convey a positive story focused on value. Looking back over 25 years of delivering compliance solutions, this talk will share this experience in way to help appreciate the intended program goals of CMMC beyond contracting. In addition, remembering to balance any compliance program to support small businesses and not stifling innovation should always influence how you look at enforcement.