This article appeared in Moore's Connected News, a newsletter distributed to all Moore members. Moore is an international network of over 300 accounting and consulting firms throughout the United States and in 100+ countries. As an independent member firm associated with Moore, DGC has direct access to this global network of resources, which we have successfully partnered with to assist our clients with their business needs.
In a time when many companies are focused on day-to-day operations, Moore member firms across the globe are helping businesses thrive by keeping an eye on what comes next. From updated legislation to fluctuating compliance requirements, many industries deal with constant change, and Moore members, like DGC (DiCicco, Gulman & Company) are here to help.
A new Cybersecurity Maturity Model Certification (CMMC) is set to take effect in late 2021, impacting about 400,000 companies in the U.S. defense industrial base. While these cybersecurity requirements are not yet in effect, they will supersede existing regulations for the defense industrial base.
“The changes are coming later this year, so companies should be preparing now,” said Nick DeLena, CISSP, CISA, CRISC, CDPSE, IT risk assurance Principal and practice leader at DGC. “The governing law of the land today is a self-assessment model, so it’s up to you to implement those requirements. The problem with that is that a lot of companies – a majority – have not taken that very seriously.”
Prior to the announcement of the CMMC, the Department of Defense (DOD) began performing audits of companies’ progress in implementing NIST SP 800-171 and realized there was a widespread lack of adoption, despite it being contractually obligated, and despite the consequences of prosecution under the False Claims Act.
“Because the supply chain is so large and the supply of assessors and certifiers won’t be that big, they have to orchestrate the CMMC implementation in such a way that the requirements are not excessive,” said DeLena.
This translates to certain critical military programs seeing these requirements hit this year, including 1-15 prime contracts. The DOD is operating with the goal that more firms like DGC will be certified to provide this guidance as the roll-out continues.
“There’s a lot of interest from accounting firms because that certification approach fits culturally with what we do,” said DeLena. The certification also takes into account things like independence, quality control, internal reviews, etc., creating a natural synergy between CMMC and accounting firms.
Companies affected by this new requirement are taking one of two approaches. There are the companies who are waiting to see the requirement, which is not advised, but a lot of companies trying to get ahead of it, understand the process, and engage the best professionals to implement the process and gather the appropriate documentation.
DGC has been actively helping companies perform gap assessments against various levels of the CMMC and guiding companies to remediate deficiencies, in many cases writing policies for clients or helping to shape new procedures that meet the standard’s requirements. DGC has been vetted and cleared by the CMMC Accreditation Body and is a Certified 3rd Party Assessment Organization (C3PAO). They expect to soon offer these additional certification services in addition to their current consulting and preparatory services.
DGC has assisted a wide variety of companies in the defense industrial base to prepare for CMMC, including the following industries:
“Because the FAR and DFARS regulations span not only cybersecurity but also include accounting practices, we’re finding more and more that cyber is the top issue that starts the conversation,” said DeLena. “Often clients will come to us because of CMMC, but while we’re talking with them, they bring up other concerns that we can address with our range of accounting services.”
Nick has been working with clients in this space since 2015, watching the evolution of the requirements and remaining active with the defense IT community. “We see huge advantages in being able to offer a wide suite of compliance services to defense contractors, beyond cybersecurity,” said DeLena.
Taking the lead in this sector, Nick and his team have also found ways to bring CMMC into the conversations with fellow Moore members. Nick, along with Sean Linton from Lurie LLP, shared their insights with the More North America Consulting Community, generating discussion and follow-up conversations. DGC also has produced resources including articles and videos on CMMC which are available at dgccpa.com.
“Within CMMC there’s going to be independence requirements,” said DeLena. “So, if you’re consulting with a company and you’re not able to do their certification, firms like DGC and others within the Moore network will be needing to refer in another firm. There’s a real opportunity within the Moore network to build relationships with others like myself that head up the cybersecurity groups, to get a sense of whether they want to collaborate and work together on this significant initiative.”
For additional insights into this offering, check out this video podcast from DGC, featuring DeLena and DGC IT Risk Assurance & Advisory Manager Scott Goodwin, OSCP, OSWP. You can also visit DGC’s IT Risk Assurance & Advisory web page for additional resources.