C3 has merged with Ingalls Read Press Release >>

Balancing Act: The Burden of Adding CMMC Responsibilities to Program Managers

In the intricate world of government program management, Program Managers (PMs) already shoulder an extensive load of responsibilities. From budget management to stakeholder coordination, risk mitigation to quality assurance, the PM's role is akin to a skilled juggler, expertly managing multiple elements to ensure program success. However, adding the Cybersecurity Maturity Model Certification (CMMC) to their already hefty list of duties may be a step too far without some intervention.

  • Brandi Pickett, CISSP, CAP, Director of Government Programs at Ingalls Information Security

    Brandi Pickett


Challenges of Adding CMMC Responsibilities to PM Roles

Here’s the argument: PMs are already stretched thin with their existing responsibilities, and introducing CMMC into the mix could lead to overburdening, inefficiency, and potential negative consequences for the CMMC Program.

  1. Comprehensive Oversight: PMs are entrusted with the comprehensive oversight of their programs, a task that requires unwavering attention. They must manage budgets, coordinate teams, monitor performance, and ensure compliance with a myriad of regulations and policies. Adding CMMC responsibilities could divert their focus from these core duties, potentially leading to suboptimal program management
  2. Resource Allocation: Efficient resource allocation is crucial for program success. PMs must allocate personnel, funds, and equipment strategically. Incorporating CMMC responsibilities demands additional resources for cybersecurity measures, which may strain already limited budgets and human resources. This allocation imbalance could adversely affect program performance.
  3. Risk of Compliance Failures: CMMC compliance is a complex and constantly evolving landscape. PMs are not cybersecurity experts by default, and mastering this domain requires substantial time and training. The risk of overlooking critical cybersecurity requirements or failing compliance audits increases when PMs are spread too thin.
  4. Increased Stress and Burnout: Program management is a high-pressure role. Adding CMMC responsibilities can exacerbate the stress on PMs, leading to burnout and reduced effectiveness. Overloading them with more responsibilities may result in diminished performance and morale, which could have cascading effects on program outcomes.
  5. Diminished Focus on Core Objectives: PMs are responsible for delivering on the primary objectives of their programs, which often involve complex and time-sensitive deliverables. Introducing CMMC may divert their attention from these core objectives, potentially jeopardizing program milestones and overall success.
  6. Regulatory Complexities: CMMC compliance involves navigating a web of regulations and cybersecurity standards. PMs may struggle to keep up with the ever-changing landscape, risking program non-compliance, legal issues, and associated penalties.
  7. Potential for Delays: The learning curve associated with CMMC can lead to delays in program execution. PMs may need additional time to acquire the necessary expertise, develop cybersecurity strategies, and implement compliance measures. These delays can have cascading effects on program timelines and budgets.

While recognizing the importance of cybersecurity in today’s digital age, it is essential to acknowledge the significant responsibilities that PMs already bear. Adding CMMC requirements to their plate may well be a step toward ensuring national security, but it must be done thoughtfully. Striking a balance between cybersecurity and the core responsibilities of PMs is imperative to avoid overburdening, inefficiency, and potential negative consequences for the vital programs they manage. It is essential to provide the necessary support, resources, and expertise to PMs to ensure they can effectively integrate CMMC while continuing to excel in their primary roles.

Practical Strategies for Integrating CMMC With Ease

To ensure PM effectiveness and prevent overburdening, several strategies can be implemented to lighten their workload and enable them to focus on their core responsibilities while incorporating new requirements like CMMC. Here’s what can be done to lessen the burden on PMs:

  1. Specialized Training and Expertise: Provide comprehensive training and certification programs specifically tailored to CMMC requirements. Equip PMs with the knowledge and skills necessary to navigate the intricacies of cybersecurity without diverting their focus from program management.
  2. Dedicated Cybersecurity Support: Establish dedicated cybersecurity teams or experts within agencies to assist PMs. These experts can oversee CMMC compliance, conduct risk assessments, and provide guidance, allowing PMs to leverage their expertise without needing to become cybersecurity experts themselves.
  3. Streamlined Reporting and Documentation: Simplify reporting requirements and documentation for CMMC compliance. Develop standardized templates and processes to reduce administrative overhead, enabling PMs to fulfill compliance obligations more efficiently.
  4. Resource Allocation: Ensure that PMs have adequate resources, including budgets and personnel, to effectively manage both program-specific tasks and cybersecurity requirements. Adequate resources are essential for successful implementation.
  1. Clear Communication Channels: Establish clear communication channels and reporting structures within organizations. Encourage open dialogue between cybersecurity teams and PMs to facilitate efficient information exchange and problem-solving.
  2. Risk Management Tools: Implement risk management tools and software that can help automate and streamline risk assessment processes. These tools can assist PMs in identifying and mitigating cybersecurity risks more effectively.
  3. Cybersecurity Training for Teams: Provide cybersecurity training for program teams working under PMs. When team members have a foundational understanding of cybersecurity best practices, it reduces the burden on PMs to oversee every aspect themselves.
  4. External Support and Partnerships: Foster partnerships with external cybersecurity organizations or consultants. These experts can provide guidance, conduct audits, and offer recommendations, taking some of the compliance responsibilities off the PMs’ shoulders.
  5. Periodic Audits and Reviews: Conduct periodic audits and reviews of compliance efforts to ensure that they align with CMMC requirements. Regular assessments can help identify areas for improvement and reduce the risk of non-compliance.
  6. Continual Learning and Adaptation: Encourage a culture of continual learning and adaptation within organizations. As CMMC and cybersecurity requirements evolve, PMs and their teams should stay informed and agile in their approach.
  7. Prioritization and Delegation: PMs should prioritize tasks based on program objectives and allocate responsibilities effectively. Delegation of certain tasks to qualified team members can help distribute the workload more evenly.
  8. Executive Support: Ensure that executive leadership understands the challenges faced by PMs and supports initiatives to ease their burden. This may involve advocating for additional resources, training, or personnel.

By implementing these strategies, the burden can be reduced on Program Managers while ensuring effective CMMC compliance. It’s crucial to strike a balance between fulfilling cybersecurity requirements and allowing PMs to excel in their core roles of program management, ultimately leading to successful program outcomes.

Chat with a Consultant

Meet the Author

Brandi Pickett, CISSP, CAP, Director of Government Programs at Ingalls Information Security

Brandi Pickett


Brandi is the Director of Government Programs at Ingalls Information Security, bringing over a decade of expertise in key cybersecurity domains including Risk Management, Vulnerability Management, Incident Response, and Security Training. As a recognized figure in the DoD community and a Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner, she spearheads a team of skilled RPOs, leveraging her experience from a foundational role as a HIPAA Privacy and Security Auditor to pivotal DoD contract support, including a significant stint at HQ Air Education & Training Command. Her role was crucial in ensuring FISMA and DoD/AF policy compliance, directly impacting over 60,000 personnel across the United States. Beyond her professional achievements, Pickett actively contributes to the cybersecurity field as a Technical Mentor, board member of the AFCEA ArkLaTex Chapter, and advisor to academic institutions, embodying her commitment to advancing women in STEM, recognized by the 2020 AFCEA International Women’s Appreciation Award.