As we approach the year anniversary of the CMMC (Cybersecurity Maturity Model Certification) rollout by the Department of Defense, are we any closer to knowing the “who, what, where, when and why…. me” regarding implementation on a small business level? With government agencies being targeted ad nauseum by our foes through cyber breach, there is no doubt the need for oversight is at hand. CMMC will require every GovCon to be certified by third-party assessors by the September 30, 2025 deadline. Some contracts are requiring compliance as early as this year, and still other contractors claim to have received notice from their Prime that compliance is needed now, or at the very least, a quality check of their NIST 800-171 self-attestation.
So, where do you lie in the conversation on whether it is a “now” issue or if you still have time to spare? What are the deciding factors for small to mid-sized GovCons to invest in the control upgrades from what NIST 800-171 required to what will be necessary for CMMC? Across the board there are varying responses to the request to start now. While technology companies may have a leg up because it is within their infrastructure to make the move, other subcontractors outside of IT may be at a disadvantage. How will this affect their ability to gain contracts in the years ahead? How long does the upgrade, remediation, and implementation process take?
Our cyber partners have assessed what we know now and see that the transition to CMMC compliance is a benefit on many levels. Securing our National Security by ways of protecting our cyber safety is something every GovCOn should be on board for, but it isn’t that simple. The DoD rollout still contains so many unknowns, including when recertification will be required, and how you can build your expense into your award process. But what is known is there have been no wavering on the final date for certification. We do know from cyber experts that remediation and implementation can take 6-12 months. We do know that England and the EU, for instance, have already implemented similar standards to their processes and have mitigated a risk that we still face.
So, what is the answer, should you get compliant now, or is there time to spare? Is there a benefit to beginning the process and proceeding in segments to spread out the expense, or is it better to just get it all done now? I guess it depends on how much of a player your business is in the GovCon market, or how interested you are in moving up the supply chain and vendor lists with Primes that would otherwise never take notice. As with so many things within government contracting, it is the “chicken and the egg” problem. What comes first?
We are working closely with cyber professionals and experts to help you make a plan that will meet your needs and requirements for contracts, while also allowing an option for alternative financing to help pay for the upgrades. While leaders of the Army and Navy are encouraging subcontractors to get on board, they still have no concrete dates of when CMMC will be a sweeping requirement. So, if they don’t know yet, how are you to navigate in the dark? Call us today and check out our website to see what we are working on that may be able to steer you in the right direction. Easiest way to make the best decision is to be armed with the best options. There is no better time to weigh your options than now!