- Getting to the point of compliance before the deadline
Most current DoD contractors will have to wait at least two years for CMMC to be completely adopted. If you already have one or more DoD contracts, you have roughly that much time to prepare. Making meaningful improvements to a security program, on the other hand, can take years, as everyone in the cybersecurity industry knows. There is no time to waste because nist 800-171 requirements will compel most DoD contractors to make significant enhancements to their existing programs.
- Obtaining compliance before bidding
The timeframes associated with CMMC could be substantially shorter if you’re a potential DoD contractor. New DoD contracts will start requiring bids to meet a certain level of CMMC compliance within the next few months. The rule is simple: if you don’t have certification, you won’t be able to get a contract. Just to be allowed to submit a bid, CMMC compliance is a big step to go through. After achieving compliance, there is no certainty that a firm will be able to win a contract, making CMMC a significant barrier to becoming a DoD contractor.
- Getting ready for a CMMC assessment
When it comes to compliance, the cost isn’t the only issue. There’s also a lot of work to be done to prepare for a CMMC assessment. After all, simply being compliant isn’t enough; you must be able to demonstrate it. While the exact details of the CMMC evaluation process are unknown, it’s a safe bet that contractors will be required to present paperwork and real-world verification that all of the requirements have been completed. Naturally, the time and resources required to set up and maintain the mechanisms required to produce this proof will be increased.
- CMMC’s scope may expand beyond the Department of Defense.
While CMMC is now limited to DoD contracts, other government departments and agencies have adopted comparable requirements in the past. The Cybersecurity and Infrastructure Security Agency (CISA) mandate requiring all federal civilian agencies to implement a Vulnerability Disclosure Policy (VDP) — a path blazed by the DoD and US military — is a recent example of this trend. What does this signify for businesses who do business with civilian federal agencies? Nothing at the moment. Given the past, don’t be shocked if CMMC is expanded to include certain civilian agencies within the next few years.