The CMMC Proposed Rule: Facts and Fiction

The CMMC Proposed Rule comes with lots of emotion. To help you separate fact from fiction, we sat down with our CMMC experts and asked the questions on everyone’s mind.

Why is CMMC happening?

The DoD addressed this query. “Because of the across-the-board risks of not implementing cybersecurity requirements, DoD was unable to identify any additional alternatives that would reduce the burden on small entities and still meet the objectives of the proposed rule.”

There really is no other way to protect the country’s infrastructure than to standardize cybersecurity for all DIB contractors and ask for proof of compliance.

When do we need to be certified?

There’s going to be a three-year rollout period. That sounds like a lot of time, but I want you to remember two things:

1. It takes time to get this done and to do it right—compliance doesn’t happen overnight. Any delays could severely limit your ability to bid on contracts.
2. Most DIB contractor will need to be CMMC certified. With a limited number of companies doing remediation and an even more limited number of C3PAOs handling the actual audits, you don’t want to wait until the last minute.

What’s the first step?

Companies need a solid CMMC plan and cybersecurity budget. Call around. Listen carefully. Get estimates for the remediation work and start planning for annual maintenance costs—this is not something you do once and forget about it.

What is CMMC going to cost?

Our team is happy to talk numbers and give you an estimate for the security work you need, but we can tell you this—the cost to become compliant is often less than one percent of a company’s revenue. It’s an unavoidable upgrade required to stay in the game, but we don’t think it will sink many companies. After a few budget cycles, cybersecurity will become just another operating expense, like rent or business insurance.

Isn’t the cost too much to ask of small businesses?

Cybersecurity standards aren’t new, but they demand proof of compliance. Companies have had years to implement NIST 800-171 standards and spread out the costs, however most haven’t done it. If you are a very small subcontractor and don’t think you can stay afloat because of CMMC costs, consider asking your prime for support.

Having gone through the process ourselves, we know the astronomical cost of trying to DIY it, and we don’t recommend it. Find an expert firm with a good track record. Ask for a tailored plan instead of a flat fee or package so that your remediation process is tailored to your specific system, CUI needs, and number of employees. Make sure that your plan includes the documentation you’ll need for your assessment.

Are we responsible for our entire supply chain being compliant?

Following NIST 800-171 standards, prime contractors must also validate that their subcontractors meet the necessary CMMC requirements. Ask yourself important questions about the companies you are involved with: Is this company compliant or getting compliant? How critical is this company to my contract? Where else can I get this product, service, or technology? Where are the security vulnerabilities in my pipeline?

What will CMMC mean for those buying, selling, or merging?

I think we’re going to see cybersecurity become a very big topic among private equity and venture capital firms. They won’t invest in companies that aren’t CMMC compliant or well on their way, even if the pipeline’s filled with millions of dollars of DoD contracts. On paper, it looks like a massive risk and an avoidable expense. Plenty of investment opportunities don’t come with those issues.

What is the one thing that contractors don’t know about CMMC?

We’re in the early days of companies getting certified, so few owners or leaders can offer this perspective: Being compliant feels great. When DTS earned its Joint Surveillance Voluntary Assessment, which is equivalent to CMMC Level 2 certification, it was a huge relief. The systems and solutions we implemented made us a better, stronger and more secure company. It has already paid dividends.

Have other questions? We’re here to help. Start making your CMMC plans by contacting DTS to schedule a free consultation and estimate at 703-403-1841 or sales@consultDTS.com.