With the rollout of CMMC (Cybersecurity Maturity Model Certification) version 1.0, and the additions by the National Institute of Standards and Technology (NIST) in 800-172, federal contractors are spinning their wheels trying to figure out what they need to do, who to trust to do it, where they need to show their progress, and most of all, how they are going to pay for it all.
There is speculation that CMMC upgrades will be deemed as allowable indirect costs. But the DOD has yet to decisively rule on this topic. For one, Prime contractors will be held to a higher standard than their subcontractors as it relates to the level necessary. So costs to their implementation will be greater providing no standard for this rule. Additionally, CMMC level 3 affords compliance with DFARS 252.204-7012, which allows for chargeable indirect costs as well. But we still don’t know for sure if this will apply to CMMC or not. So what do you do?
As with everything in business, having a plan is step one.
Part of your plan should be to get some professional advice on two fronts: compliance pathway and financing said compliance. Project Spectrum offers a great resource you can utilize to address initial cyber readiness. This and our article on CMMC compliance are free resources that can help get you started before you talk to your chosen cybersecurity and CMMC experts.
There are many controls necessary on the pathway to compliance, so choosing the best experts who aren’t overcharging is not an easy task, but necessary to get started now. Subcontractors are already being required to show their company’s NIST 800-171 compliance within the Suppliers Performance Risk System (SPRS). Many Prime manufacturers are mandating this in response to the November 30, 2020 interim rule that said that self-assessment proof of NIST 800-171 compliance, less than three years old, has to be documented within SPRS to continue doing business.
If you are actively working on a contract and see the expenses to become compliant adding up, it is time to seek financial advice on how to access the capital you need to maintain your role within the supply chain. NIST 800-171 is merely the framework for the additional requirements of CMMC. The cost to a business seeking Level 3 CMMC compliance can be as high as $100K or more. Even though the progress of CMMC requirements within contract award now is slow, the deadline for all contractors to be certified as compliant is steadfastly fixed at September 30, 2025. Typical remediation and implementation for necessary upgrades is six months to a year, and then you have to get a third-party assessment to validate your compliance for certification. Waiting too long could be the difference between keeping your contract and losing it.
The time is now for all federal contractors, big or small, to tackle these requirements. Parabilis’ team of experts can walk you through the finance option to fund your pathway to compliance. Our line of credit is an easy way to access the capital needed for operating expenses like NIST 800-171 and CMMC compliance. Connect with us today to schedule a free consultation to see how our service can work for your company!