March 27, 2023

Last Updated on June 24, 2024

With the May 2023 Cybersecurity Maturity Model Certification (CMMC) rulemaking now just weeks away, many of the US defense industrial base (DIB) entities we are chatting with are still taking a “wait and see” approach to moving forward with “formal” compliance with NIST 800-171/CMMC V2 Level 2.

Personally, I think this is a mistake, as the goal line is clear. It hasn’t moved in 6 years. You currently need to conform with DFARS 252.204.7012, which mandates compliance with NIST 800-171. CMMC V2 amounts to the same thing from a controls standpoint.

Here are 7 reasons why moving forward with a robust implementation of NIST 800-171/CMMC now makes a lot more sense than waiting until after the CMMC rulemaking:

  1. Primes are requiring a legitimate self-reported score indicating compliance with NIST 800-171 (a 110 score or close to it) in the US Department of Defense (DoD) SPRS database. If you haven’t received an email from one of your Primes indicating that they can no longer do business with you until you provide a copy of your System Security Plan (SSP) and confirm that your score in SPRS is above X, you soon will.
  2. With each invoice you submit, you are asserting to the government that you conform with the DFARS 252.204.7012/NIST SP 800-171 requirements in your current contract(s). You may be subject to prosecution by the US Department of Justice (DoJ) under the False Claims Act if you don’t. Settlements and judgments under the False Claims Act exceeded $2.2 billion in the fiscal year ending Sept. 30, 2022. You don’t need any part of that drama.
  3. The costs to pursue compliance will never be lower. It’s basic supply and demand. On a near daily basis, I speak with CMMC Registered Provider Organizations (RPOs) and Certified Third-Party Assessment Organizations (C3PAOs) that currently have bandwidth.
  4. Getting certified means you are more secure, hence less likely to incur a business impacting breach. Remember that DFARS 252.204-7012 Clause C obligates you to “Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.” An incident will likely result in a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) review. If you misrepresented your NIST 800-171 conformance in SPRS, you might be subject to a False Claims Act action.
  5. You may get an extra year before needing another audit. The current policy is that voluntary assessments done pre rulemaking will convert to a CMMC Level 2 certification. If that conversion happens a year from now, for example, it will push your first recertification assessment back by a year.
  6. A CMMC voluntary assessment or a robust SSP and a legitimate score of 110 in SPRS will be a competitive advantage when bidding on projects.
  7. Moving now is like having a Disney “Fast Pass” with the consultants, C3PAOs, and vendors (e.g., AOSG, Preveil, SIEM, MFA) you likely need to work with to achieve CMMC compliance. Even so, it may take 6 to 12 months to prepare for a CMMC assessment. It’s entirely possible that if the market moves as one in May there will be months-long queues waiting for those same consultants, C3PAOs, and vendors.

Best of all, there’s no downside to achieving CMMC certified sooner. You get all of the above benefits for the meager cost of time-shifting money by a few months.

For more information regarding CMMC changes, read through the following blog: https://www.pivotpointsecurity.com/cmmc-rulemaking-changes-again-whats-the-timeline-now/