Weighing the Pros and Cons of Acting Early on CMMC Compliance

Contractors in the Defense Industrial Base (DIB) know that they must stay compliant with Defense Federal Acquisition Regulation Supplement (DFARS) regulations or risk significant penalties. Still, some put compliance off for some undetermined future date.


The U.S. government knows this behavior is pervasive and is why the Cybersecurity Maturity Model Certification (CMMC) program came about.


If your company has contractually obligated itself to DFARS, but isn’t compliant, it is likely breaching the law. If you overrepresent compliance through compulsory reporting, you may be providing false claims.


A recent case set precedent for using the False Claims Act to prosecute contractors believed to be non-compliant and resulted in a $9 million settlement. Attorney Greg Thyberg, who represented former Aerojet Chief Information Security Officer (CISO) Brian Markus, joined me at CMMC CON 2022 to discuss the case.


Under-delivering is no better. Your Supplier Performance Risk System (SPRS) score is the litmus test for whether you qualify to be awarded a contract. If it falls short, you may no longer find yourself eligible for contracts or have a contract win contested by more compliant competitors.


Ultimately, being DFARS compliant is more than just a patriotic or altruistic effort — it’s also the fulfillment of a contractual agreement that a contractor willingly entered into. Contractors should consider conducting CMMC readiness assessments sooner rather than later to ensure that they are up to date with their security protocols and remain eligible for DoD contracts.


When the final rule of CMMC 2.0 is codified, there will be a rush of action and confusion on the best way to achieve compliance. But we already know what CMMC 2.0 is based on. That is why it is important to be proactive and start your compliance journey today.


At CyberSheath, we have the experience to guide you on your journey towards compliance. Contact our team of experts to help you identify and address gaps in security protocols and prepare for the final version of CMMC 2.0 before it is released.

CyberSheath’s exclusive Federal Enclave is a “born compliant,” cloud-based solution for full compliance that’s easier, faster and more economical.
This is default text for notification bar