Reason 2: CMMC Implementation Timing Risk
For the sake of argument, let us assume that I (and the DoD) am right that CMMC is going to happen. And, lets further assume that CMMC will be rolled out as planned with the renewal of defense contracts in 2021. If this is the case, the new defense market will select winners and losers by a contractor’s ability to demonstrate they can protect secrets via CMMC Certification. The CMMC Accreditation Body (AB) defines ten steps to CMMC certification. The AB also states companies should plan at least six months to complete the certification steps. However, this assumes that the company is already compliant with the existing cybersecurity requirements under DFARS 252.204-7012, specifically NIST SP 800-171. If a company is not compliant with the current DFARS requirements, then CMMC compliance could be much longer than the AB’s six-month estimate.
If a company is not compliant with the existing DFARS requirements, then CMMC compliance could be much longer than the AB’s six-month estimate.
Do you see the problem yet? Earlier, I pointed out that according to audit data, only one percent of defense contractors were compliant with the existing DFARS requirements. Many of the cybersecurity compliance gaps will take contractors months to fix. Take the CMMC practices that require the implementation of a process. Often processes require hiring qualified people. That alone could take months, especially for cybersecurity professionals who are in short supply. Companies that have not completed a CMMC or NIST SP 800-171 self-assessment would not know if they are six months or a year from reaching CMMC compliance. Also, the requirement that subcontractors also need to be CMMC certified could extend the certification time for prime contractors. You don’t have to be a PMP to realize there are too many unknown variables that could extend the CMMC compliance timeline well beyond six months. Companies who are late to understand this risk could end up easy prey to their competition
The Proactive and the Reactive
It is our experience that compliance initiatives divide companies into Proactive (companies quick to respond) and Reactive (companies who wait to respond). While many initiatives can favor or at least not penalize the Reactive too much, CMMC is different.
CMMC will have more substantial penalties for the Reactive contractors because the time it will take to be compliant is likely longer than expected. Also, CMMC has hard deadlines since the contracts will require it, and the DoD does not have room to compromise or delay CMMC implementation. Further, because CMMC compliance is independently validated to ensure there are no exceptions to the standard, contractors will not have any wiggle room to short cut compliance. However, the DoD has wiggle room, Proactive competitors.