Last Updated on June 30, 2022
As CMMC 2.0 moves ahead and more of the particulars are clarified, DIB orgs face a significant decision. The cost to uplift your company’s cybersecurity posture to CMMC 2.0/NIST 800-171 compliance from a “less secure” starting point is significant.
And that’s not the only concern. There’s also legal risk to companies and executives that misrepresent their compliance posture.
John Verry, Pivot Point Security CISO and Managing Partner, recently recorded a special episode of The Virtual CISO Podcast on recent CMMC 2.0 news and updates, including what he’s been hearing around the DIB about preparing for CMMC certification.
John relates comments from an executive who knows his DIB business isn’t fully NIST 800-171 compliant and is concerned they might face legal sanctions. He’s particularly concerned about his personal legal liability. A fellow exec had recently left his DIB company for that very reason, and this man was thinking of doing likewise.
Falling short of compliance
Another observation among DIB orgs is that prime contractors are pushing hard for CMMC compliance well ahead of CMMC’s inclusion in DoD contracts in May 2023.
John tells of one DIB member that lost out on a contract because, per their prime, “… 55 is too low of a score [in the DoD’s SPRS database] for us to work with you.” An exec from another prime summed up the reason: “We believe that a ‘certified supply chain’ is an advantage on the next trillion-dollar acquisition.’”
Is we is or is we ain’t?
John has spoken with many people in recent weeks who are questioning whether to pursue CMMC 2.0 certification or not.
“You’ve got to look at the DIB as being, currently, a get certified or get out kind of decision,” John observes. “I’ve heard people say, ‘We’re leaving the DIB.’ I’ve heard people say, ‘We are investing in the DIB because we’re trying to gain market share from companies that are leaving.’ I’ve also heard people say that CMMC certification is a significant barrier to entry for new competitors. So, it’s a worthwhile investment because nobody is going to be able to come in and take our bread.”
John continues: “I think there’s an ‘is we or is we ain’t’ component here, and that’s just your decision point. I don’t think there’s a right or a wrong. I think the fundamental question is, can you generate a reasonable return for your business from your CMMC investment?”
“If it’s $100,000, if it’s $150,000, you’ve got to figure that out. It’s going to be a lot of money. It’s expensive stuff,” adds John.
No time to lose
John closes the podcast with one last thing to consider: May 2023 is a lot closer than you think.
“Generally speaking, implementing comprehensive cybersecurity programs like CMMC Level 2 or NIST 800-171 usually takes most organizations nine to twelve months if you don’t want to terribly disrupt business as usual,” John reminds. “And that assumes there are no backlogs, no challenges. If you need to migrate to a ‘Gov cloud,’ there are a limited number of providers. Right now, they can probably service you. In six or nine months? Probably not. There’s going to be a line. Same thing with C3PAOs.”
“So, I would encourage you if you’re going to make the investment, I think you should make it on the sooner side rather than later so we can make sure that we get you there by May or June of next year,” John concludes.
To listen to John Verry’s CMMC update show all the way through, click here.
Need to get an inside track on the CMMC 2.0 rollout? This recent podcast episode has what you’re looking for: EP#82 – Kyle Lai & Caleb Leidy – Ongoing Challenges in CMMC