Congratulations, you've reached the CMMC summit! Welcome to base camp.

CMMC is not the final step in an organization’s cybersecurity journey. Read about today’s evolving risk and how to prepare for your next phase.

    The day is coming when the CISO will look at their team and announce, “We have made it, CMMC is complete! Our cyber journey is done.” A release of tension will course through the team. They will gather for celebratory drinks and swap stories. The CEO and Board will tell them how grateful they are, as they wish them well on their next journey, wherever that might be. The team will share one more round before riding off into the sunset.

    At least that’s how the scene would play out in a movie. Reality, however, is different.

    Meeting Cybersecurity Maturity Model Certification (CMMC) will mean that you have only three years before you need to recertify, and 12 months until your organization will need to re-affirm that they still meet the requirements. NIST 800-171 v3 will likely have become final, and you will need to implement it.

    Outside of your organization, the threats and threat actors will have improved and adopted AI into their threats, tactics, and procedures (TTP). Beyond the U.S., there will be new regulations, and within, several states will have new requirements. Insurance brokers will be conducting independent verification of your cyber defenses, with your rates fluctuating based on results. Your Cyber team will still be over-worked and under-resourced. And all this will be while you’re trying to meet the SEC rules around cyber disclosure and materiality.

    It is a far cry from the movie opening, and given all these challenges, it is easy to understand why those CISOs who can, are leaving their roles.

    But it isn’t all “doom and gloom.” CMMC (via NIST 800-171) has given us a good cyber framework to build from. Implementing it will have helped change your culture into a more security-conscious one, and pushed the board, executive team, and cyber team to better understand one other.

    It also opens the door to continue the cyber journey.

    Next steps for your cyber road ahead

    Looking at the next steps to take after meeting CMMC, several common themes are apparent if you want a healthy and robust cyber program, although they all need some tailoring to fit your organizational mission:

    • Zero Trust: Build out an organization that finds a way to verify every micro transaction for 100% of your business.
    • NIST 800-171 v3: Execute it, within your zero trust plan, and know that v4 will come sooner than later.
    • AI: Generative AI is in its infancy, and it has already had tremendous impact. True AI will come and be even more disruptive.
      • Operational AI: How are you going to use it in your day-to-day? How will it help you deliver your core mission? How will it help your infrastructure to operate?
      • Situational AI: How will AI help you detect a potential cyber incident sooner? Detect TTPs? Filter more logs? Find hidden threats?
      • Deep fakes: How do you prove that recording of your CEO is fake, or real? How do you deal with sophisticated misinformation on social networks? How do you find it before the damage is done?
    • Quantum computing: Remember all the angst you went through to encrypt everything in transit or at rest? Well, quantum computing just broke it. Now we need to deploy quantum-proof encryption.
    • People: We are still the weakest link in the process. Everything we do above needs to account for people: How to empower them, make them more productive, protect them, and make everything easy for them to use, while protecting them from the human traits that make them prime targets for threat actors.

    The five bullets above are more than enough to help us realize why CMMC isn’t the end of the cyber journey, it’s barely the start. There will always be a lot more to do. In a perfect world – one full of resources, subject matter experts, unlimited budgets – this would be a challenge, but we do not live in that perfect world.

    Cyber is a journey that evolves every day. Even if your organization didn’t need to meet CMMC, you are on the same journey. It is a journey that every organization, of any size, needs to recognize and undertake.

    How CohnReznick can help

    To succeed on this journey, organizations need a strong CISO as part of their executive leadership team. Even then, they will require a trusted advisor to help them along.

    Let CohnReznick be that advisor. We provide thought leadership, technical guidance, targeted help, and CMMC guidance, and – for defense contractors – we are a CMMC Registered Provider Organization (RPO) and a Certified Third-Party Assessor Organization (C3PAO). If you want to talk about your cyber needs today or how to strategize for the future, CohnReznick is the advisor you can count on.




    Get in touch with our specialists

    View All Specialists
    steve gilmer

    Stephen Gilmer

    Director, Cybersecurity, Technology Risk and Privacy

    Looking for the full list of our dedicated professionals here at CohnReznick?



    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic

    Related services

    Our solutions are tailored to each client’s strategic business drivers, technologies, corporate structure, and culture.

    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.