An aerial view of the Pentagon

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We’re moving into a global cyber era and we’ve got to get better at protecting ourselves.


Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we as a nation are losing data at a rapid pace. We need to step up and take the necessary steps to guard our proprietary information so that we are not behind the power curve in an armed conflict where the other side has our intellectual property and understands our weapons systems.


CMMC 2.0, which is based on the 110 controls of NIST 800-171, is the means by which the Department of Defense (DOD) is working to secure the DIB. Where do things stand now—and what has been happening to enforce the implementation of these controls? Here is some insight Stacy Bostjanick, ​​Chief of DIB Cybersecurity for the Department of Defense, shared at our recent CMMC Con.


How SPRS will be used by contracting officers

Cybersecurity criteria is going to be included in government contracts. When a contract comes out and says it requires CMMC certification, contracting officers will review the supplier performance risk system (SPRS) database and validate that a company has the required certifications before award. Contracting officers are going to have a requirement to ensure that you can protect and handle that data before it is given to you.

Stacy shared an example of lost intellectual property that has resulted in an F35 that looks just like our JSF flying around in China. US engineers worked 24 hours a day to make that plane come to fruition. Because we didn’t protect ourselves, our supply chain, and our data, an entity downloaded the designs and started building it for themselves without having to do any of that work.

Stacy stated, “As a federal employee, I have worked my entire career to ensure that our men and women that go into armed conflict to protect our freedoms have the best advantage to make it home to their families. By not protecting this data, by not staying out in front and on top of it, we’re eroding that ability.”


Self assessments gain visibility

Recently, Stacy’s department started making sure all companies doing business with the DOD were entering their own self assessments in SPRS. They are also starting to look at the scores. The DCA team has been contacting people and having conversations about what they entered into the system.

In one case, she said, there was a company that had initially entered a perfect score of 110. Once that entity discovered that a reviewer might be in touch to validate their initial entry or that DCMA DCA might come out and conduct an assessment, they changed their self assessment score to negative 140. The huge swing had the DCMA team questioning the veracity of both entries and wondering what the real answer was.

Companies need to be honest. And a less than perfect score does not necessarily translate to losing out on all opportunities. There might be a program manager that’s willing to accept the risk and move forward. The DOD needs to be aware of the risks of doing business with each member of the DIB so that they know what steps to take to protect themselves. There’s a significant risk to a contractor who isn’t forthright and honest.


The time is now

It’s never been more important to take the necessary steps your company needs to protect your intellectual property, your data, and your partners. And we need to work together to benefit the DIB as a whole.

Stacy adds, “I would ask those who have gotten their cybersecurity in line to assist the others. We need to work together as a community to make sure that we bring forward best practices and help each other understand how to protect ourselves in the cyber posture across the board. Help your brother to make sure that everybody is secure, so we don’t lose our shirts to our adversaries and end up in a scenario where we’re not number one anymore.”

And for those that are looking for some financial incentive, the longer you wait to implement your cybersecurity controls, the more expensive it gets.


If you would benefit from our assistance with understanding and implementing the controls in CMMC 2.0, give us a call. We would be happy to work to help you achieve your cybersecurity goals.

Join us for CMMC CON 2024 on Sept. 25, 2024, at 9am EST for a free, virtual, one-day conference focused on safeguarding against cyberthreats.
This is default text for notification bar