While major cyber breaches and advanced persistent threats (APTs) continue to plague government agencies and companies of every size within the Defense Industrial Base (DIB), the new administration is stepping in and considering an overhaul of CMMC which has been touted as THE standard for compliance to do work with the Department of Defense. No doubt everyone can agree that cybersecurity is a top priority for government agencies and the companies that support them, but how to manage the requirements, implementation and verification is still in question.
The CMMC-AB was established to create an advisory board of cyber experts to oversee the third-party certification verification, but even its mere existence has created controversy. So what are GovCons to make of this mess? Will these standards eliminate smaller companies from competing for contract work? Even industry leaders are skeptical.
In a time when protecting our data is more important than ever, and requirements are being proposed but not ratified, there is an underlying worry that cybersecurity standards may affect your ability to win federal contracts in the coming years. How will this alter who is able to play in this space? Will small businesses have more difficulty now in earning contracts or subcontract work? It is hard to tell because there is no consistency in the government’s response to the need for cyber standards.
Government Contractors: Hurry Up and Wait
While major breaches like the SolarWinds debacle make headlines and the constant threat of hacking scandals menace local governments in several states across the country, the federal government has yet to produce a consistent rollout of cyber governance and stand steadfast behind it. What we have is a rush to bring cybersecurity to the forefront and then a painful inconsistency in the recommendations of how to mitigate risk.
Government Contractors are encouraged to hurry up and upgrade their processes but be ready to make changes. What are the costs, literally and figuratively? Getting a jumpstart may just mean having to pay more when they change the rules. So, where do you begin?
What We Know
In the beginning of 2020, GovCons were told they best get their act together and follow the regulations proposed by CMMC (Cybersecurity Maturity Model Certification). But as the year went on and numerous changes were made to the program, no one seemed to be able to accurately explain what the final objective would be. The only aspect that held strong was the September 2025 deadline for CMMC compliance for all government contractors.
Recently, the National Institute for Standards and Technology (NIST) delivered a special publication to bridge the gap between NIST 800-171 and CMMC. The newest standards with NIST 800-172 identify key management procedures with respect to Controlled Unclassified Information (CUI). According to the abstract:
The enhanced requirements supplement the basic and derived security requirements in NIST Special Publication 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and non-federal organizations.
While this information is all well and good, it begs the question: Where do you start? To whom does this apply? When do these standards have to be in place? Who do you have to prove your compliance to, and where do you show the proof of what you’ve done? Small businesses will have to figure it out or risk not being able to win the work.
Cyber Security Compliance Planning
With all of the revisions and withdrawals with respect to NIST 800-171 originally published in 2016, and then revised in 2017, 2018, and final revision in February of 2021, it is best to start here. Mapping frameworks and general information provide you with the necessary details of what makes you compliant with the standards being recognized today.
As you make the recommended upgrades, it is best to show your progress within SPRS so anyone you do business with can see your process and status with regard to the framework. As the federal government and the new administration figures out what to do with CMMC, it is best to get your business cyber-ready and capable of handling the amount and level of data necessary for your contract work.
Parabilis partners with experts in the cyber industry, and can refer you to professionals that can assist in the necessary framework upgrades needed for your business. It is not a cookie-cutter solution, but rather a custom approach to your needs.
Additionally, Parabilis can help establish a plan with you to determine the necessary financing needed to make these changes and be able to keep up with your contract obligations along the way. The ongoing process of cybersecurity will be ever-present in your operating expenses.
You will need to keep your data secured and one step ahead of outside intruders at all times. Let our team of financing experts help you map out a plan and provide you with all of the resources you will need to be cyber safe and compliant, and also able to pay for the services you need. We are all in this together – schedule your consultation with our team today!