CMMC 2.0 is finally on the near horizon. And full compliance will be mandatory.
The transition of DOD contractor cybersecurity requirements from the existing DFARS (Defense Acquisition Regulation Supplement) to the new Cybersecurity Maturity Model Certification, or CMMC 2.0, is expected to happen as early as fourth quarter of 2024.
Perhaps the most significant difference between the two: DFARS as its stands requires only self-certification and has been fairly lax in its enforcement; whereas the introduction of CMMC will require third-party certification of compliance and will be strictly enforced.
Which means that if you are only partially compliant with CMMC requirements, in the eyes of the DOD, you are noncompliant and cannot be awarded a contract.
Many cybersecurity providers offer only partial compliance
With CMMC, partial compliance is not an option. Yet surprisingly, partial compliance is exactly what many cybersecurity providers offer their customers.
Some providers are value-added resellers (VARs) of the software required to comply, most often Microsoft’s GCC High. Selling software is where they make their money, and they will recommend you buy the license before they even know what you need. This is at the root of the common misconception that GCC is all you need to comply with CMMC, which is not the case.
Other providers specialize in assessments, and that’s what they provide—typically at a high cost—but an assessment is only the first step toward compliance. Still others are consultants who go through an expensive boilerplate process that ends with a big binder outlining all their findings. But most of these providers offer little or no support to implement solution to those findings.
So, one provider type sells software. Another sells assessments. And another, essentially, sells hours. Very few of these providers are selling full compliance. Surprising—shocking, even—but true.
Start your partner selection process with a simple question
If you’re like most smaller and mid-sized companies doing DOD work, compliance can be complicated. Government regulations are notoriously confusing. The process to comply can be complex. Even choosing the right partner can be a challenge, because everyone’s got a well-practiced sales pitch.
I always recommend that companies start the first meeting with any potential provider with one simple, direct question:
At the end of your process, will we be fully, 100% CMMC-compliant?
What you’re looking for is a simple, direct, “yes” answer. If there’s any hesitation or equivocation, any hems and haws, anything less than an unqualified affirmative answer, consider it a red flag. Choosing the wrong partner can make you vulnerable to the most common pitfall facing smaller defense contractors and subs—overpaying to under-comply.
The first steps to full CMMC compliance
The first step toward compliance is the completion of a mandatory assessment of your business against CMMC requirements. Then, you’re required to develop a System Security Plan (SSP) and a Plan of Action and Milestones (POAMs).
As part of the assessment process, you must file a score in the DOD’s Supplier Performance Risk System, or SPRS. The DOD’s contracting officers are required to check your SPRS score. If you do not have one, you do not pass “Go.” You are not eligible to be awarded the contract.
Sound complex? It doesn’t have to be. The right partner will know the ins and outs of what’s needed for compliance, and will guide your company through the process to achieve it.
Look for this in a potential partner
You will greatly simplify your path to CMMC compliance if you look for these three things in a CMMC compliance partner:
End-to-end compliance services. You’ll save significant time and money if you choose a provider that can guide you through all the steps required for your business to get and stay CMMC-compliant. Not just some of the steps. All of the steps.
Long and deep DOD compliance experience. Look for a partner with extensive experience in the DOD data security space. It’s best to choose a DOD compliance specialist with deep knowledge that has done this many times before for businesses like yours.
A flexible, tailored offering. You don’t want a boilerplate solution. The best providers in this space take the time to understand your situation before selling you a solution. They meet you where you are. They tell you exactly what you need, what it will cost, and then they deliver it.
Don’t wait
We all know how time flies for busy people and companies. There are never enough hours in the day, especially for overtaxed IT departments and personnel. CMMC 2.0 compliance is projected to be required by fourth quarter of this year, and fourth quarter will be here before you know it.
It makes real business sense to determine exactly what you’re going to need to do to fully comply, sooner rather than later.
And remember, this is a deeper issue than just DOD compliance. Hackers, whether individuals or state-sponsored, are a real and growing threat to your business. Spyware, ransomware, worms, viruses—don’t make the mistake of thinking that it won’t or can’t happen to you. If you don’t act to protect your business, it can, and for a growing number of companies, it has.