The Biggest Takeaway for the DIB from CMMC Con 2020

By Kristen Morales • December 2, 2020

At CMMC Con 2020, we heard about the threat from China, next steps for CMMC, and how no one in the Defense Industrial Base (DIB) has all the answers. After an immersion in why the CMMC is essential and what the requirements are, the one question remaining is: What now?

We wrote a book about how to get started — get your free copy here. It’s a plain-English guide to everything you need to know about achieving NIST 800-171 and CMMC compliance as a contractor in the DIB.

But next steps were a focus of the sessions at CMMC Con. The biggest takeaway: Get your self-attestation recorded or risk lost business.

One of the clearest wake-up calls came from Katie Arrington, who noted that “every vendor, every contractor as they are going to contract award will have to do a self-attestation and record it on the SPRS platform .… It’s the dawn of a new day.” She later emphasized: “All new awards as of November 30, 2020 have to have this self-assessment.”

This was a stark reminder of what the DIB has been hearing with increasing urgency for a couple months. We got the DFARS Interim Rule at the end of September. Starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th.

While everyone was supposed to be doing this for the past five years, a lot of this is new, like submitting self-attestations to the SPRS. Everyone is playing catch up. But that doesn’t mean everyone is taking it seriously just yet. And they might not until it hits their wallets.

Arrington said in her keynote there are signs of improvement in compliance, but in the assessments, we perform for our clients, we haven’t seen that. Reviewing our data, it’s clear contractors and suppliers have a way to go.

There are many reasons why. In part, the five NAICs codes cited in the DFARS interim rule are so broad they’re pulling in contractors that weren’t aware they had to comply: Research and Development in the Physical, Engineering, and Life Sciences; Engineering Services, Commercial and Institutional Building Construction, Other Computer Related Services, and Facilities Support Services. As a result, we have been working with construction and architecture firms that don’t understand why the rule applies to them.

Several other suppliers are stuck between a rock and a hard place. Organizations that are supposed to have met the standards for the last five years have been taking contracts, thereby certifying they are 100% compliant. But it was self-certification, and no one was checking. Now, do they score themselves honestly and open themselves up to False Claims Act liability for contracts they have taken? Or do they score themselves aspirationally and try to make up ground before anyone comes knocking on their door?

The answer is to get the process started as soon as possible. Read our book for more background. We’ve been performing assessments for years and understand what’s required and where and how most contractors need to improve.

The one silver lining from Arrington’s keynote is that the DoD recognizes the cost of security. She noted: “We are willing to pay for it, we are willing to say security is an allowable cost … build it into your rates.”

The challenge now, as we heard all day at CMMC Con, is to get it done on deadline.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft