Allison Giddens on Signal versus Noise : Understanding Common CMMC Vendor Tactics

Allison starts off by reading the really bad apple emails. Bad mail merge, bad copy, and unconnected sales teams

We don't know what we don't know

We may not have a realistic idea of what your services cost

It can be tough to get management buy-in

Limited resources...people

Step One: Spell my name correctly, spell your name correctly, do not use absolutes, reference from someone good, keep it concise, avoid doomsday jargon

Step Two: HTTPS and have a web presence for person signing email

Step Three: Give me a pricing structure and have two references ready

Step Four: Answer questions: Will you share your shared responsibility matrix, do you keep all data in US, do you outsource any work to contractors, if you start using offshore services or getting bought do you give me three months notice, and get out of contract.

Step Five: Do you do an SBOM or certification for anything that touches my systems, do you have a cyber insurance policy

Step Five: Ask about their hiring and HR policies so you know we can trust the people